CareFirst, Inc. is facing a proposed class-action lawsuit over the data breach it disclosed in May, with one current member and one former member leading the charge in the complaint filed Aug. 6 with the U.S. District Court of Maryland.

While the Maryland-based Blues plan operator maintains that no Social Security numbers were compromised, one of the plaintiffs’ lawyers contends identities already have been stolen as a result of the cyberattack, and another industry observer says the number of medical identity theft cases he has seen in the past six months alone is “nuts.”

Medical Identity Protection Is New Frontier
The CareFirst complaint specifically mentions the possibility of medical identity theft, or the misuse of protected health information to submit fraudulent health insurance claims. According to the Ponemon Institute’s Fifth Annual Study on Medical Identity Theft, released in February, medical identity theft increased 21% in 2014 compared with 2013. Victims each ponied up an average of $13,500 over an average of 200 hours to resolve the problem, although only 10% said they had reached a satisfactory conclusion.

Rick Kam, president and cofounder of IDExperts, which offers MIDAS, the Medical Identity Alert System, says the number of medical identity theft cases he has seen in the past six months has skyrocketed, citing the Blues breaches along with recent exposures at UCLA Health System and the Office of Personnel Management.

“If you think about those particular incidents, all of them included health insurance information or some form of sensitive health information,” Kam tells The AIS Report. “So not only through MIDAS, but more specifically through the services we provide to our breach clients, we’ve seen a huge spike in medical identity theft, financial identity theft and tax return identity fraud just in the last six months. It’s just off the charts. It’s just nuts.”

Many cases of medical identity theft don’t come from data breaches, but rather are perpetrated by the person’s friend or family member. Ann Patterson, senior vice president and program director at the Medical Identity Fraud Alliance — of which CareFirst is a founding member — says providers are better equipped to halt identity theft than insurers, because they can employ techniques including fingerprint scans and photo verification to ensure a person’s identity immediately upon arrival.

Insurance companies also are under pressure to pay claims quickly, which prevents their special investigations units from vetting each incoming bill. Additionally, insurers have to comply with the medical loss ratio (MLR) provision of the Affordable Care Act, which somewhat limits their ability to invest in new technology.

“Fraud reduction activities are in the restricted buckets,” Patterson says, referring to expenses such as administrative, marketing and salaries that are allowed only a 20% allocation of insurers’ premium revenues. An insurance exec might say, “‘Oh, there’s this cool software’ — they can buy and deploy that, but any money a health plan company spends to do those new technologies, that’s going to count against them in MLR.”

Click here to read the full article.

September 2, 2015 by Atlantic Information Services, Inc.