Last February, health insurance giant Anthem Inc. revealed stunning news: Hackers invaded the company’s massive computer system and gained access to sensitive personal and medical information of 78.8 million people enrolled in Anthem and a series of related health care insurance brands.
According to Bloomberg News, China may have been responsible for the massive data breach and identity theft that posed huge risks to consumers’ personal finances, credit ratings and medical treatment. There was no limit to the mischief and thievery the hackers could wreak with access to tens of millions of names, birth dates, medical identification numbers, Social Security numbers, street addresses, email addresses and employment information.
The data breach at Anthem was one of five cyber-attacks against major health insurance companies in the past year. The other targets were Premera Blue Cross, CareFirst BlueCross BlueShield, Excellus BlueCross BlueShield and UCLA HealthSystem.
Taken together, the five massive hacks likely hurt as many as 105 million individuals, according to the Department of Health and Human Services’ Office of Civil Rights. When other health care industry hacks and thefts were tossed in, the total rose to 154 million individuals whose identity was put at risk.
Now alarmed members of Congress -- still reeling from reports of massive hacks of Office of Personnel Management (OPM) and other federal government agencies that threatened government security -- are pressing for answers to why the health insurance industry is so vulnerable to cyberattacks. They are also are seeking better coordination between federal, state and local authorities in combatting future hacks.
Four senators – Republicans Lamar Alexander of Tennessee and Orrin Hatch of Utah and Democrats Patty Murray of Washington State and Ron Wyden or Oregon – voiced their concerns in a letter last week to Andy Slavitt, acting administrator for the Centers for Medicare and Medicaid Services and Jocelyn Samuels, director of the HHS Office for Civil Rights. The letter previously was reported by NextGov.
“We are concerned that data theft will continue to rise and will result in an increase in medical identity theft,” the senators said in their letter.
By some estimates, roughly 15 million Americans have their identities used fraudulently annually with financial losses totaling close to $50 billion. Tens of millions of others have their personal identifying information put at risk each year when records maintained by government and corporate databases are lost or stolen.
In the case of health care records like the ones stolen from Anthem and other major U.S. health insurers, the financial consequences can be devastating, according to the lawmakers. For example:
- Victims can end up paying large out-of-pocket costs for medical bills incurred by thieves using their names.
- Victims can see their credit ratings destroyed and lose their health insurance.
- Thieves can file claims in the victims’ names for expensive service and medical equipment, leaving the victims unable in the future to access those services and equipment when needed.
- Hackers who gain access to medical records can alter them in ways that could endanger the lives of the victims when they are next treated in a hospital or doctor’s office. “Faulty records that contain a false diagnosis, or inaccurate blood type, can result in dangerous health repercussions, including receipt of improper medical treatment,” the senators said in their letter. And while patients have the right to review their records and request corrections under federal privacy rules, “there is widespread confusion” about how those rules apply in cases where hackers add faulty information to a victim’s medical reports.
Beyond all that, identity theft can adversely affect the Medicare Trust Funds and defraud taxpayers. According to a recent Government Accountability Office (GAO) study, about 10 percent of total yearly Medicare and Medicaid spending -- or $98 billion – was fraudulent.
For example, an organized crime ring operated at least 118 phony clinics in 25 states and submitted over $100 million in Medicare claims using stolen data. In another case, a multi-national organization created a “ghost” medical clinic, which milked Medicare for over $1 million in services.