HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Cybercrime Report: Children’s Healthcare Data Prized by Thieves

Cybercriminals are targeting healthcare providers and insurers in an attempt to obtain the Protected Healthcare Information (PHI) and Social Security numbers they hold, but above all else it is the Social Security number of children they are after.

According to a study conducted by the University of Texas Center for Identity, children are 35 times more likely to suffer identity fraud after a data breach than adults. A 2011 study conducted by Carnegie Mellon University’s Cylab suggests the risk is much higher, and children are 51 times more likely to suffer from fraud. The UT survey researchers have estimated that one in ten U.S children have had their identities stolen to some degree.

Who do Criminals Use Healthcare Information and Social Security Numbers?

Social Security numbers – along with personal identifiers –can be used by criminals to commit fraud in a variety of ways and the value of these numbers has led criminals to come up with highly sophisticated and diverse ways of breaking through organizations’ defenses.

Thieves use healthcare data and Social Security numbers to make bogus insurance claims as well as obtain prescriptions and medical services, and a full suite of personal information can allow thieves to create new identities and obtain goods, services, bank loans and credit cards. Children’s data is more valuable to thieves as the Social Security numbers are clean and are generally not in use,

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

According to Katie Stephens, the Texas identity Center’s Education Program Manager, – as reported by WLNS News – the data can be used to create a new “synthetic” identity by using the unused Social Security number with a different date of birth and name and the new identity many be able to be used for years before credit is blocked. During that time, bank loans and credit cards can be obtained and the debts mount up.

The UTC study – conducted in conjunction with Austin-based AllClearID – cited an example of a 19-year old girl who had her identity stolen when she was nine years old. It was only when she turned 19 that the crime was eventually discovered, with the ID having been used by criminals for a decade. When she did apply for her first credit card, she discovered that the thief had managed to rack up debts of $1.5 million.

One problem, according to Stephens, is that parents do not think to keep a check on their children’s credit files. When children are ready to leave the home and apply for a credit card or loan, the identity theft is discovered. She says, “So they’re [children are] ready to go to college, start a new chapter in their life and discover they actually owned a 35-foot yacht for the last 10 years.”

Healthcare Providers Need to Respond to Breaches Promptly

The volume of data breaches being reported is growing on an almost daily basis, with the healthcare industry particularly under threat. The probability of a data breach occurring is increasing, and it is no longer a case of if a breach will occur, but when.

When the breach does occur, it is vital that action is taken promptly due to the risk of the data being used by thieves. Patients and health plan members must be notified promptly about any breach of data. HIPAA breach notification rules require covered entities to issue notifications to victims of breaches within 60 days of the discovery of a breach. Many organizations delay sending notification letters and announcing the breach until the deadline approaches, or in some cases some time after.

Patients expect to be notified promptly after a data breach so that they can take action to protect their identities. When this does not happen it can lead to a loss of confidence in healthcare providers and patients are now prepared to make a change.

The Office for Civil Rights is also taking a keen interest in the response to data breaches, and the breach response is expected to be examined in the second phase of HIPPA compliance audits scheduled to take place later this year. Breach notification violations can now earn healthcare providers a substantial financial penalty, with fines up to $1.5 million in cases of willful neglect of HIPAA regulations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.