WHO ARE YOU? Lessons From the Anthem Breach


By Bill Reid, SVP of Product Management and Partners, SCI Solutions

Hours of my youth were spent listening to this refrain from one of the greatest rock bands of all time. In fact, this music was part of my identity as a kid.

Yet, recently, in light of the relentless news of corporate security breaches, the latest being Anthem with a reported 80 million affected consumers, I’ve been once again thinking about identity.

One of the key problems plaguing healthcare today is knowing who is who. Large sums of money are spent on systems to track and manage patients, their accounts and clinical data. Some organizations pay for what is called Master Data Management – or really a means of syncing data through a mastering of common identities. Others will simply force specific mappings of person to person – if the spelling is not exact on the middle name, or there is a missing initial, then it is not treated as the same person. A staff member then usually has to be the tie breaker and often that involves having to call patients, or ask for additional identifiers.

One of the large blockers to the “Holy Grail” of healthcare integration is the fact that no two providers or insurers seem to use the same means to identify individual patients. It is a really hard problem, yet of our own making.

In 1996 when HIPAA was first enacted, there was a provision addressing the creation of a unique patient identifier for healthcare. However, in 1998 political and privacy concerns caused Congress to include a section in the Omnibus Appropriations Act that prohibits the Department of Health and Human Services from using federal funds to implement the unique health identifier requirement “until legislation is enacted specifically approving the standard.”

Well, no such legislation materialized. Even where there was the chance to address it in HITECH more than a decade later, nothing happened. So what is an organization to do? Use whatever they can to establish unique identity. In many cases this is some combination of name, date of birth and Social Security Number. Generally, good security and privacy practices would recommend not allowing for other outside identifiers to be used as a substitute. Why? If there is ever a breach, these data can be used in subsequent attacks. There is also the threat of identity theft to consider.

The Ponemon Institute’s 2013 Survey on Medical Identify Theft estimated that there were more than 1.8 million victims in 2013 alone and that number grew over 19 percent from 2012. They found that “most medical identity theft victims lose trust and confidence in their healthcare provider following the loss of their medical credentials.” Moreover, to mitigate the effect of these crimes, consumers spent more $12 billion on identity protection, credit monitoring and legal counsel, as well as additional reimbursements to providers to pay for services to impostors.

You see, when you use a financial identity for healthcare purposes, its compromise is even more far reaching, as its damage not just limited to healthcare. It permeates victims’ financial lives.

Anthem announced that its breach did not involve medical records. However, it did compromise Social Security Numbers, names, addresses, email addresses, employers and dates of birth – basically the perfect set of data needed to steal an identity, file a fraudulent tax return or set up fake accounts.

What if Anthem had, instead, not only encrypted that data (they did not), but simply had not used these other non-healthcare related elements to identify a person? What if they only had a healthcare identifier? Would the intruders have been able to steal an identity that affects not only a person’s healthcare, but his financial life, as well?

On this subject, the Social Security Administration recommends the following:

“In an effort to curtail identity theft, the Social Security Administration (SSA) is initiating a public information program to encourage the use of alternate identifiers in place of the Social Security Number (SSN.) Many organizations including businesses, government agencies, medical facilities and educational institutions continue to use the SSN as the primary identifier for their record keeping systems. We are seeking your support, as well as the support of the general public, in helping to ensure the integrity of individual SSNs.

Identity theft is one of the fastest-growing crimes in American society. The routine and often indiscriminate use of SSNs as identifiers creates opportunities for individuals to inappropriately obtain personal information. Repetitive use and disclosure of SSNs in organizational record keeping systems, multiplies the susceptibility of persons to potential identity theft. Through misuse of SSNs, individuals are subject to the danger of identity theft and its repercussions. Access to an individual’s SSN can enable an identity thief to obtain information that can result in significant financial difficulties for the victim. While this can be disruptive for the individual, it can also lead to civil liability for the organization and its individual employees if someone is harmed by information that has been made available to others.”

Perhaps it is time to revisit the national medical identifier. Not only would we slow the growth of medical ID theft, but we may actually also address that interoperability problem plaguing the healthcare industry. I know I am calling my congressperson.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s