In a very interesting article titled Why Gang Members Want Your Identity Fox Business News reporter Kate Rogers examines a disturbing trend of stealing electronic patient records and using them to commit crimes.
Gang members are stealing patient records and using them to file false tax returns.
Detective Craig Catlin of the North Miami Beach Police Department Gang Unit goes so far as to call it an “epidemic” among the city’s street gangs. “Every gang member is doing this,” Catlin says. “It’s a business to them—they’re doing burglaries and then having other members commit the fraud.”
The practice is very lucrative
Why sling dope on the corner of an apartment building, when you can rent a room at a hotel nearby and have a tax return party? You can make up to $40,000 or $50,000 in one night,” he says.
Another disturbing aspect of this crime is that gang members are getting their girlfriends to get jobs at healthcare organizations with the sole purpose of stealing electronic patient information.
“If you get a job as an administrator or data person, you have access to all of this information. And with medical it’s a double hit—it’s not only about the money, but also the health insurance. That is a valuable commodity in the marketplace—it’s big dollars.”
Levin says the girlfriends show up to work, steal a sizable amount of data and then never return. The larger the medical practice, the longer it will take for the company to realize.
“It’s not so much people hacking into files anymore–it’s an inside job,” he says. “Also, a lot of these medical facilities have their technology shipped offshore or stored with a third-party vendor. This means you have easier access to medical files in an emergency, but the downside is that more people have access to your files, and they may not have your best intentions at heart.”
Catlin adds that he has seen cases of this sort ranging from $30,000 to $30 million, depending on the depth of the fraud. Florida in particular had been a hotbed for this type of crime, but in recent years the District Attorney’s office has moved more quickly to prosecute tax fraud and more cases have reached the federal level.
What can healthcare organizations do?
I spoke with Kate Rogers before her on air interview with Fox Business News (see clip below). We discussed what individuals and healthcare organizations can do to prevent this type of crime. I told her that except for some of the advice that she provided in her article there is not a lot that patients can do to protect themselves. If they want treatment they need to provide personal information such as name, address, insurance information, etc. The real burden is on the healthcare organizations to ensure that this information is properly protected.
Here are 6 steps that organizations can do to protect electronic patient information:
- Screen job applicants – all job applicants should be properly screened prior to hiring and providing access to patient information. Look for criminal records, frequent job switches or anything else that might be a warning sign.
- Limit access to patient information – employees should only have the minimum access needed to perform their job. A lot of healthcare organizations give everyone full access to electronic health records. By limiting what an employee can get to, limits their ability to potentially access and use the information for criminal activity.
- Audit access to patient information – all access to patient information should be recorded. Every employee should use their own user id and password. All access to patient information should be recorded including who accessed, when they accessed and what records they accessed.
- Review audit logs – auditing of access is needed but organizations have to ensure they are looking at the audit logs. Criminal activity can be happening right under your nose. Reviewing the audit logs may uncover strange or unexpected activity. Examples include: is one employee accessing significantly more patient records than other employees? If employees average accessing 10 patient records per day and one employee is accessing 50 that might be a sign of criminal activity. If records are being accessed after business hours that might be another sign of illegal activity. The key is to review the audit logs and look for unexpected access.
- Security training – all employees should receive security training on how to protect patient information. In that training employees should be made aware that all activity to patient information is being logged and reviewed. Knowing that their actions are being watched might prevent employees from trying to use patient information illegally.
- Limit the use of USB drives – in the past you would need a truck to steal 10,000 patient charts. Now you can easily copy them on a small thumb / USB drive and put them in your pocket. Organizations should look carefully at preventing the use of USB drives to prevent illegal activity.
Below is Kate Rogers’ on air interview for Fox Business News.