Doctor’s office may be most dangerous place for data

  • By Tom Murphy And Brandon Bailey Associated Press
  • Monday, February 9, 2015 1:48pm
  • Business

Everyone worries about stolen credit cards or hacked bank accounts, but just visiting the doctor may put you at greater risk for identity fraud.

Those medical forms you give the receptionist and send to your health insurer provide fertile ground for criminals looking to steal your identity, since health care businesses can lag far behind banks and credit card companies in protecting sensitive information. The names, birthdates and — most importantly — Social Security numbers detailed on those forms can help hackers open fake credit lines, file false tax returns and create fake medical records.

“It’s an entire profile of who you are,” said Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin in Boston. “It essentially allows someone to become you.”

Social Security numbers were created to track the earnings history of workers in order to determine government benefits. Now, health care companies are, in some cases, required to collect the numbers by government agencies. They also use them because they are unique to every individual and more universal than other forms of identification like driver’s licenses, said Dr. Ross Koppel, a University of Pennsylvania professor who researches health care information technology.

But once someone creates a stolen identity with a Social Security number, it can be hard to fix the damage. A person can call a bank to shut down a stolen credit card, but it’s not as easy of a process when it comes to Social Security numbers.

“There is no such mechanism with Social Security numbers and our identity,” said Avivah Litan, a cybersecurity analyst at the research firm Gartner. “You can’t just call the bank and say, ‘Give me all the money they stole from my identity.’ There’s no one to call.”

So being that the data is so vital to protect, health care companies are taking every precaution to defend against hackers, right?

Not necessarily. The FBI warned health care companies a year ago that their industry was not doing enough to resist cyberattacks, especially compared with companies in the financial and retail sectors, according to Christopher Budd of security software company Trend Micro. The warning came in a government bulletin to U.S. companies that cited research by a nonprofit security institute, he said.

Last year, more than 10 million people in the U.S. were affected by health care data breaches — including hacking or accidents that exposed personal information, such as lost laptops — according to a government database that tracks incidents affecting at least 500 people. That was the worst year for health care hacking since 2011.

Litan estimates that the health care industry is generally about 10 years behind the financial services sector in terms of protecting consumer information. She figures that it may be twice as easy for hackers to get sensitive financial information out of a health care company compared with a bank. Banks, for instance, are more likely to encrypt personal data, which can garble the information if a hacker gets ahold of it. They also are much more likely to use advanced statistical models and behavior analytics programs that can spot when someone’s credit card use suddenly spikes, says Litan, who studies fraud-detection technology. That’s a sign of possible fraud that may be worth investigating.

“There’s a need for that everywhere now,” she said.

Health care companies do have security to protect sensitive patient information. Anthem, the nation’s second-largest health insurer, said last week that hackers broke into a database storing information on 80 million people, including Social Security numbers. The company had “multiple layers of security” in place before the attack, said David Damato, managing director at FireEye, the security company hired by Anthem to investigate the breach.

But the stolen data was not encrypted. An Anthem spokeswoman said encryption wouldn’t have helped, because the intruder used high-level security credentials to get into the company’s system.

Still, several experts say encryption does help.

Encryption programs can be tuned so that even authorized users can view only one person’s account, or a portion of an account record, at a time, said Martin Walter, senior director at cybersecurity firm RedSeal Networks. That makes it harder for an outsider to view or copy a whole stockpile of records.

Even if Anthem’s security had proved invulnerable, the health care system offers several other inviting targets with varying levels of security. Hospitals, labs, clinics and doctor’s offices all can be attacked. Cybersecurity experts say they expect even more health care hacking problems in the future as those layers of the health care system shift their paper files to electronic medical records, a push that has been boosted by federal funding in recent years.

“A lot of businesses that didn’t place a premium on security are now placing this incredibly valuable information online,” noted Al Pascual, director of fraud and security at the consulting firm Javelin Strategy &Research.

The experience of a big company like Anthem does not bode well for the broader health care industry, said Budd at Trend Micro.

“They have resources to throw at cyber security,” he said. “And if someone with nearly unlimited resources can be breached like this, then it raises serious questions as to what’s at risk.”

Beth Knutsen still worries about someone using her Social Security number more than a year after she was told that some old patient files of hers had been taken from a doctor’s office in Chicago. The 39-year-old New York resident visited that doctor nearly 20 years ago.

She’s seen no signs of fraud yet, and she still provides her Social Security number when a doctor’s office asks for it — but only because it seems to be required for insurance and billing.

“It’s so scary,” she said. “Who knows what can happen with that information?”

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

Black Press Media operates Sound Publishing, the largest community news organization in Washington State with dailies and community news outlets in Alaska.
Black Press Media concludes transition of ownership

Black Press Media, which operates Sound Publishing, completed its sale Monday (March 25), following the formerly announced corporate restructuring.

Maygen Hetherington, executive director of the Historic Downtown Snohomish Association, laughs during an interview in her office on Thursday, Feb. 15, 2024, in Snohomish, Washington. (Ryan Berry / The Herald)
Maygen Hetherington: tireless advocate for the city of Snohomish

Historic Downtown Snohomish Association receives the Opportunity Lives Here award from Economic Alliance.

FILE - Washington Secretary of State Steve Hobbs poses in front of photos of the 15 people who previously held the office on Nov. 22, 2021, after he was sworn in at the Capitol in Olympia, Wash. Hobbs faces several challengers as he runs for election to the office he was appointed to last fall. (AP Photo/Ted S. Warren, File)
Secretary of State Steve Hobbs: ‘I wanted to serve my country’

Hobbs, a former Lake Stevens senator, is the recipient of the Henry M. Jackson Award from Economic Alliance Snohomish County.

Mark Duffy poses for a photo in his office at the Mountain Pacific Bank headquarters on Wednesday, Feb. 14, 2024 in Everett, Washington. (Annie Barker / The Herald)
Mark Duffy: Building a hometown bank; giving kids an opportunity

Mountain Pacific Bank’s founder is the recipient of the Fluke Award from Economic Alliance Snohomish County.

Barb Tolbert poses for a photo at Silver Scoop Ice Cream on Thursday, Feb. 29, 2024 in Arlington, Washington. (Annie Barker / The Herald)
Barb Tolbert: Former mayor piloted Arlington out of economic brink

Tolbert won the Elson S. Floyd Award, honoring a leader who has “created lasting opportunities” for the underserved.

Photo provided by 
Economic Alliance
Economic Alliance presented one of the Washington Rising Stem Awards to Katie Larios, a senior at Mountlake Terrace High School.
Mountlake Terrace High School senior wins state STEM award

Katie Larios was honored at an Economic Alliance gathering: “A champion for other young women of color in STEM.”

The Westwood Rainier is one of the seven ships in the Westwood line. The ships serve ports in the Pacific Northwest and Northeast Asia. (Photo provided by Swire Shipping)
Westwood Shipping Lines, an Everett mainstay, has new name

The four green-hulled Westwood vessels will keep their names, but the ships will display the Swire Shipping flag.

A Keyport ship docked at Lake Union in Seattle in June 2018. The ship spends most of the year in Alaska harvesting Golden King crab in the Bering Sea. During the summer it ties up for maintenance and repairs at Lake Union. (Keyport LLC)
In crabbers’ turbulent moment, Edmonds seafood processor ‘saved our season’

When a processing plant in Alaska closed, Edmonds-based business Keyport stepped up to solve a “no-win situation.”

Angela Harris, Executive Director of the Port of Edmonds, stands at the port’s marina on Wednesday, Jan. 24, 2024, in Edmonds, Washington. (Ryan Berry / The Herald)
Leadership, love for the Port of Edmonds got exec the job

Shoring up an aging seawall is the first order of business for Angela Harris, the first woman to lead the Edmonds port.

The Cascade Warbirds fly over Naval Station Everett. (Sue Misao / The Herald file)
Bothell High School senior awarded $2,500 to keep on flying

Cascade Warbirds scholarship helps students 16-21 continue flight training and earn a private pilot’s certificate.

Rachel Gardner, the owner of Musicology Co., a new music boutique record store on Thursday, Jan. 18, 2024 in Edmonds, Washington. Musicology Co. will open in February, selling used and new vinyl, CDs and other music-related merchandise. (Olivia Vanni / The Herald)
New Edmonds record shop intends to be a ‘destination for every musician’

Rachel Gardner opened Musicology Co. this month, filling a record store gap in Edmonds.

MyMyToyStore.com owner Tom Harrison at his brick and mortar storefront on Tuesday, Sept. 6, 2022 in Everett, Washington. (Olivia Vanni / The Herald)
Burst pipe permanently closes downtown Everett toy store

After a pipe flooded the store, MyMyToystore in downtown Everett closed. Owner Tom Harrison is already on to his next venture.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.