The Washington Post recently published an article reminding individuals not to tweet or otherwise share information concerning their medical conditions on social media, warning that disclosing such information publicly “is akin to posting your address along with the dates you’ll be away on vacation.” Quoting Jennifer Trussell, who investigates medical identity theft on behalf of HHS, the article cautions that, “If you tweet about your diabetes diagnosis . . . the next thing you know, you’re getting diabetes test strips you didn’t order or receive billed to your insurance company.” In fact, in some egregious cases, an individual may discover that thieves are maxing out his or her Medicare account by making false claims against his or her policy.
While many individuals closely safeguard their financial information and social security number, they may be less protective of medical diagnoses, seeking support through the use of social media from friends or other acquaintances who may have experienced similar medical conditions. These individuals, however, may not realize that such information can be used in ways that are as harmful to their personal and pecuniary interests as the misuse of financial information.
In fact, research has shown that medical identity theft is unfortunately rising. For example, according to the Ponemon Institute (an organization that conducts independent research on privacy, data protection and information security policy), U.S. victims of medical identity theft rose from an estimated 1.52 million in 2012 to 1.84 million in 2013, representing a jump of 19 percent over one year.
Other key findings from the Ponemon Institute’s 2013 Survey on Medical Identity Theft include, but are not limited to, the following: (1) medical identity theft can put victims’ lives at risk by creating inaccuracies in permanent medical records; (2) victims lose trust in their healthcare provider following such thefts; (3) individuals lack awareness of the seriousness of this crime (e.g., 50 percent of victims do nothing to protect themselves from future thefts); (4) individuals rarely check their medical records (e.g., 78 percent of respondents indicated that they are not doing so); and (5) many cases of medical identity theft can be prevented (in fact, the majority of respondents indicated that the medical theft occurred because the individual shared personal or medical information with someone they knew, or a family member used such information without consent).
Responding to and mitigating the aftereffects of medical identity theft is costly. Thirty-six percent of affected individuals incurred out-of-pocket costs in connection with such theft, facing average expenses of $18,660. Ponemon estimates U.S. victims incurred total out-of-pocket costs of $12.3 billion last year alone.
Costs also may be incurred by entities to which HIPAA applies, including where such thefts constitute a breach under 45 C.F.R. § 164.402. Though not HIPAA-specific, Ponemon also has published a study generally covering costs incurred by organizations responding to data breaches. The study concludes that the U.S. experienced the highest average total cost of a data breach at more than $5.4 million (compared to nine other countries, including Germany, the United Kingdom and France, where privacy laws generally are considered stricter than those in the U.S.), and that the healthcare industry had the highest per capita data breach cost at $233 per compromised record, compared to a consolidated average among all countries of $136 per record. This same study also cites malicious or criminal attacks as the most frequent cause of data breach globally at 37 percent.
These studies illustrate the need for organizations and individuals to remain vigilant in protecting sensitive health information. While inadvertent breaches occasionally occur, policies and procedures directed at protecting personally identifiable information must be proactive and address vulnerabilities and areas of risk that can be exploited by criminals. For organizations, these policies should include robust social media guidelines; and for individuals, always remember that sharing sensitive personal information on social media does not occur in a vacuum.