May 19th, 2008 by David E. Williams of the Health business blog
Thieves will pay 10x as much for stolen personal health information than for a stolen credit card. I think I know why.
According to The New Hacker Economics, in the New York Times:
Company e-mail, business documents and personal health information are the new targets of choice for illegal hackers, according to Finjan, a San Jose-based maker of Web security software and appliances…
“Money is the motivation for criminal hackers, and it is this kind of information that has become most valuable,” [Finjan CEO, Yuval Ben-Itzhak] said.
A couple of years ago, credit card numbers and bank account PINs sold for $100 or more on sites selling stolen information, Mr. Ben-Itzhak said. Now, the price is down to $10 or $20, compared to $150 to $200 for some of the newer documents.
The article didn’t explain why personal health information is so valuable, so I did a quick web search to get some ideas. The Coalition Against Insurance Fraud has a list of scams, which include:
- Illegal and bogus treatment by corrupt providers or fake clinics
- Purchase of drugs for use by addicts or resale
- Obtaining free treatment by impersonating a health plan member
The site suggests various ways to counteract the theft of personal health information including:
- Examining explanation of benefits forms (EOBs)
- Monitoring benefits by asking for a list of claims paid
- Checking medical records and correcting inaccuracies
The high market value of personal health information relative to credit cards and bank PINs is quite telling. All else being equal access to a credit card or bank account should be much more valuable because it allows a crook to get cold hard cash, which can be used for anything.
The clues to the value of personal health information can be found in the remedies available to consumers. If my credit card or ATM card is stolen I can call my bank 24-hours a day and have it stopped instantly. Worst case I’ll see the problem clearly on my next monthly statement.
Contrast that with the suggestion to look at your EOBs! The forms are completely incomprehensible in addition to being delayed and often inaccurate. I usually toss mine right in the trash.
I’m sure my insurer would provide me with a list of claims paid, but it’s not something a person would routinely request.
The site freely admits that correcting medical records is tough:
But be warned. Correcting records can be hard. In general, federal law lets patients correct medical records created only by the medical provider or insurer that now maintains your information. A hospital or insurer that later receives your information doesn’t have to correct its records,”even when they’re wrong.
So crooks are apparently taking advantage of the fact that stolen health information is likely to be useful for much longer than stolen financial information. Until that changes –and don’t hold your breath– health information is likely to continue to grow in popularity among thieves.
Looking on the bright side, maybe health plans will figure out a way to make EOBs more readable, useful, and timely. That would be a relief for members and also improve fraud detection.