Your secret’s safe with us

USA Today reports that thieves are using increasingly sophisticated methods to access electronic medical records and steal patient information. Only two states require people to be notified when their personal health information has been fraudulently accessed, according to the story.

Identity thieves prey on patients' medical records

... Hospitals and other medical settings often encrypt data and take other steps to protect privacy, but "people are acting with increasing sophistication to steal information," says Stuart Gerson, a Washington, D.C.-based attorney who represents health care firms... Pam Dixon, executive director of the World Privacy Forum, an advocacy group, says "sophisticated crime rings" often can make more money by stealing medical identities than by going after individuals' bank accounts or credit cards. "If you steal someone's medical identity, then multiply that by 100 or 1,000" other thefts "and do fake billings, you can make hundreds of thousands, if not millions, of dollars," Dixon says.

In Florida last year, a front-desk coordinator at the Cleveland Clinic was convicted of identity theft, computer fraud and other charges after downloading patient information and selling it to a cousin, who submitted more than $2.5 million in phony bills to Medicare. In April, a former New York-Presbyterian Hospital employee was arrested for participating in an identity theft scheme in which he allegedly accessed nearly 50,000 patient records over two years.

False information from fake billings can end up in patients' medical files — and creditors might seek payment from the patients. Until the creditors call, patients might not know their medical information has been accessed.

In a recent survey of 263 health care providers, 13% said their facility had experienced a data breach. Of those, 56% said they notified the patients involved, according to the survey by HIMSS Analytics, a non-profit data analysis firm, and Kroll Fraud Solutions...