By Tom Murphy and Brandon Bailey for The Columbus Dispatch
Those seemingly harmless medical forms everyone fills out before seeing a doctor can lead to identity theft if they get into the wrong hands.
Names, birthdates and Social Security numbers can help hackers open fake credit lines, file false tax returns and create false medical records. And health-care businesses can lag far behind banks, credit-card companies and retailers in protecting such sensitive information.
“It’s an entire profile of who you are,” said Cynthia Larose, chairwoman of the privacy and security practice at the law firm Mintz Levin in Boston. “It essentially allows someone to become you.”
The danger of cyberattacks was highlighted last week when Anthem, the nation’s second-largest health insurer, said hackers broke into a database storing information on 80 million people. That hack led to a particularly valuable trove of data because it exposed Social Security numbers, a key to a range of identity thefts.
Those numbers were created to track the earnings of workers in order to determine Social Security benefits. Now, health-care companies are, in some cases, required to collect them by government agencies.
They also use them because they are unique to every individual and more common than other forms of identification like driver’s licenses, said Dr. Ross Koppel, a University of Pennsylvania professor who researches health-care information technology.
But the protection health-care companies have for that information can be lax compared with other industries. In fact, the FBI warned health-care companies a year ago that their industry was not doing enough to resist cyberattacks, especially compared with companies in the financial and retail sectors, according to Christopher Budd at the security software company Trend Micro.
Avivah Litan, a cybersecurity analyst at the research firm Gartner, estimates that the health-care industry is generally about 10 years behind the financial-services sector in terms of protecting consumer information. She figures that it may be twice as easy for hackers to get sensitive financial information out of a health-care company.