The standard data breach response packages are not enough
A health plan fraud prevention veteran thinks your clients need more than two years of credit monitoring.
Benefits professionals are likely getting a lot of questions about identity theft after the Change Healthcare breach, which caused the loss of an estimated one-third to 45 percent of Americans’ health identities.
Consultants and brokers need to give their clients a straight answer about the breach and what is offered as protection.
The response of United Healthcare and other health care institutions that have been hacked protects consumer identities from various frauds, but not theft of their health benefits.
The health insurance information of the average American sits on between 13 to 20 independent computer systems at any one time. And health care entities are the number one target for hackers.
One reason for the hacking and evidence of the cost of not protecting health data is that a stolen credit card number is worth $25 for sale on the underground dark web, while a health insurance number is worth $1,000 or more. The fundamental reason is that a health insurance identity can be used to steal more with a much lower chance of being caught.
This is due to vulnerabilities in the processing of health insurance claims.
No claim system can tell whether a stolen identity is used to file a claim, or if the claim resulted from a legitimate encounter.
The stolen identity can be that of a patient, an insured or a physician. Health-related uses of a stolen identity could include regular outpatient visits, authorizing prescriptions, imaging procedures, and durable medical equipment purchases.
Locking the health care barn door
Cybersecurity efforts have focused on protecting systems in hospitals, where breaches and ransomware have threatened lives.
Significant stores of patient data are lost as well.
But health insurance records are already on multiple systems. The information is transmitted, printed and otherwise available, and I estimate there are 5 million people in the United States who have authorized access to health insurance data.
There are 3 million entities alone that are authorized to send claims to Medicare.
We also want to share health information to improve care, as opposed to keeping it locked up.
When a breach occurs, companies typically offer credit monitoring to prevent misuse of Social Security numbers, which are the identifiers to credit reporting agencies, to prevent fraud. They do not offer any protection against the misuse of health insurance identities, enabling medical identity theft and fraud.
What are consumers getting after a breach?
To understand what consumers are getting after a breach, here are the fundamental facts of credit monitoring and identity protection services:
When an individual signs up for one of these services, the monitoring company looks for the customer’s Social Security number, or SSN, to appear on a credit request to one of the large credit monitoring companies.
When the customer’s SSN is used for a credit check, the monitoring company sends a message to the customer stating that the customer’s SSN was used to apply for credit. The company asks the customer to respond and say whether the request was legitimate.
That is a valuable service when your SSN is compromised.
But, looking at the top 10 most recommended identity protection products, none can prevent a health insurance identity from being misused.
The CISO, the benefit manager, the board and health insurance breaches
The health insurance data for an entire company can be compromised in a breach of an insurer, or much of the data may be lost if a local hospital is hacked.
The scope of the chief information security officer, or CISO, who is charged with protecting company data, is generally limited to controlling access to data on the company’s own databases. Health insurance data breaches, however, pose as great a risk to the company, its health plan, and employees’ financial health and well-being. Those data are held outside the company.
The data lost in hacks of insurers, billing companies, hospitals or clinics includes employers’ health insurance data. But no entity that loses health benefit identifiers has offered any protection against theft or fraud to the employer, its health plan, or its employees. This risk from third parties outside the walls of the company is rarely addressed. Advisors must lay out the risks of breaches outside the internal systems to their benefits clients.
Under this response, a health plan sponsor can only tell its board that employees must be vigilant when reviewing health care bills. This is the same thing that Attorneys General across the United States told their states’ residents after United Healthcare announced its response to the Change breach.
In my opinion, the response of the entities that have been breached may not fully address health insurance fraud.
According to IBM and the Ponemon Institute, a solitary case of health insurance identity theft costs $13,000 to remediate.
There are two missing terms that explain this, and how their absence enables fraud.
Multifactor authentication, such as combining use of a user ID with a password (and, possibly, a token) can increase security.
In the health insurance claims process, the opposite is in place, which we might call “zero factor” authentication. No claim system can tell whether an insured and the treating physician were in the same place at the same time, but the status of the member and physician and aspects of the treatment. If those are in order, the claim will be paid.
This omission enables the use of stolen or misused identities in the submission of false claims. Verifying the time and location of the insured and treating physician would reduce fraud and identity theft- even when identities are compromised.
Second, clients’ CISOs are also hearing the term “zero trust.” This means ‘check everything every time somebody accesses a system.’ Federal agencies are required to implement zero trust in their systems by September 2024. Again, healthcare claims have the opposite profile: the claim system is built completely on trust. If there is an anomaly, it is analyzed via sampling. That is far from the needed zero trust.
Advisors should be aware that multifactor authentication and zero-trust tools and services are available for their customers and clients to protect benefits. And the employer can protect itself.
Can we do better?
Yes. Companies that pay for health care coverage, can protect their health plans and their employees from the financial and administrative pain of identity theft.
In fact, they must.
Under the Consolidated Appropriations Act, employers are responsible for protecting health plan assets to the same level as protecting retirement plans. This includes overseeing intermediaries and making sure that plan spending is legitimate.
Tools are available to give employers this power. Employers can take the reins of transparency and accountability.
Advisors can steer them to services that verify the time and location of medical services, to ensure that employers pay only for real encounters, not false claims.
These services can be delivered via mobile phones or identification cards.
The solution also protects physician identities and employer client insurance funds, to avoid having the physician identities and employer plans be used to “authorize” purchases of prescriptions, power wheelchairs, physical therapy, and catheters.