25% off all training courses Offer ends May 8, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 8, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Cybercrime Report: Children’s Healthcare Data Prized by Thieves

Posted By on May 4, 2015

Cybercriminals are targeting healthcare providers and insurers in an attempt to obtain the Protected Healthcare Information (PHI) and Social Security numbers they hold, but above all else, it is the Social Security number of children they are after.

According to a study conducted by the University of Texas Center for Identity, children are 35 times more likely to suffer identity fraud after a data breach than adults. A 2011 study conducted by Carnegie Mellon University’s Cylab suggests the risk is much higher, and children are 51 times more likely to suffer from fraud. The UT survey researchers have estimated that one in ten U.S. children have had their identities stolen to some degree.

Who do Criminals Use Healthcare Information and Social Security Numbers?

Social Security numbers – along with personal identifiers –can be used by criminals to commit fraud in a variety of ways and the value of these numbers has led criminals to come up with highly sophisticated and diverse ways of breaking through organizations’ defenses.

Thieves use healthcare data and Social Security numbers to make bogus insurance claims as well as obtain prescriptions and medical services, and a full suite of personal information can allow thieves to create new identities and obtain goods, services, bank loans, and credit cards. Children’s data is more valuable to thieves as the Social Security numbers are clean and are generally not in use,

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

According to Katie Stephens, the Texas Identity Center’s Education Program Manager, – as reported by WLNS News – the data can be used to create a new “synthetic” identity by using the unused Social Security number with a different date of birth and name and the new identity may be able to be used for years before credit is blocked. During that time, bank loans and credit cards can be obtained and the debts mount up.

The UTC study – conducted in conjunction with Austin-based AllClearID – cited an example of a 19-year-old girl who had her identity stolen when she was nine years old. It was only when she turned 19 that the crime was eventually discovered, with the ID having been used by criminals for a decade. When she did apply for her first credit card, she discovered that the thief had managed to rack up debts of $1.5 million.

One problem, according to Stephens, is that parents do not think to keep a check on their children’s credit files. When children are ready to leave the home and apply for a credit card or loan, the identity theft is discovered. She says, “So they’re [children are] ready to go to college, start a new chapter in their life, and discover they actually owned a 35-foot yacht for the last 10 years.”

Healthcare Providers Need to Respond to Breaches Promptly

The volume of data breaches being reported is growing on an almost daily basis, with the healthcare industry particularly under threat. The probability of a data breach occurring is increasing, and it is no longer a case of if a breach will occur, but when.

When the breach does occur, it is vital that action is taken promptly due to the risk of the data being used by thieves. Patients and health plan members must be notified promptly about any breach of data. HIPAA breach notification rules require covered entities to issue notifications to victims of breaches within 60 days of the discovery of a breach. Many organizations delay sending notification letters and announcing the breach until the deadline approaches, or in some cases some time after.

Patients expect to be notified promptly after a data breach so that they can take action to protect their identities. When this does not happen it can lead to a loss of confidence in healthcare providers and patients are now prepared to make a change.

The Office for Civil Rights is also taking a keen interest in the response to data breaches, and the breach response is expected to be examined in the second phase of HIPAA compliance audits scheduled to take place later this year. Breach notification violations can now earn healthcare providers a substantial financial penalty, with fines up to $1.5 million in cases of willful neglect of HIPAA regulations.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist