Jenny Richards 4/13/15 Jenny Richards 4/13/15

Thinking Like a Criminal: Hacking Premera

I'm sure by now you've seen the news reports about Anthem and Premera getting hacked. After all, that's 91 million customers we're talking about. Neither company admitted any health information was compromised, but it got me thinking about intent. Criminal intent, more specifically. What could hackers steal that would be more valuable than my identity? I mean, what could they possibly do with my health information that would actually cause me harm?

Let's think for a moment about the system that's roughly in place to deal with identity theft. Say your wallet gets stolen. You call around to the different credit card companies, and as soon as they're notified, your liability for charges is immediately capped (it depends on when you tell them, but there is a cap). You start using a credit monitoring service, get new cards, and you pay attention to your credit card statements for a few months. It's not as simple as that, but that's roughly what happens. You know, generally, where all the possible places your money might be going into and out of, and you watch for unusual activity in those places.

Now let's talk about your health information. It's a little different and I think for most people, very opaque. But first a couple of acronyms that may come up - PII and PHI. PII stands for Personally Identifiable Information and it's data that can be used to identify you specifically. Addresses, phone numbers, social security numbers are examples. PHI is Protected Health Information and it's all of the data that is recorded about your health. Your chart notes, your demographics (age, height, weight, race, gender, etc), your medical records (diagnoses, treatments, prescriptions, outcomes). Think of PII as a black and white sketch of you, while PHI fills in the image with vibrant colors and details.

So I'm sitting here thinking about the thief who knows I take a certain medication. Who cares, right? It's not like I'm taking a schedule 2 narcotic, and my doctor's going to suddenly prescribe a limitless supply that can be stolen just because the thief has my address.

Here's a more likely scenario: Let's say hackers get their hands on 50 million peoples' PII and PHI. And let's assume that if they went after PHI, they probably knew what they were looking for. Maybe they have people on their team with medical billing knowledge? That's not terribly hard to come by nowadays - certification for medical billers costs around $5k and takes 18 - 24 months. Now they have records of real people with real social security numbers, real medical histories, and real doctors - they could take a single patient's history and devise treatments and bill for devices and procedures that financially dwarf what they could get from a credit card scam, all for 1 person. And they have 50 million opportunities to do this.

One more piece they can count on is the opaque nature of our medical billing and insurance system. Here's what I mean. When you visit the doctor, buy a prescription, or get a procedure done, you receive an Explanation of Benefits (EOB) in the mail. It's a document that tells you, the patient, which procedures were done for which diagnoses, and if and how insurance paid for it. I bet most people just file those when they receive them because they're full of complex medical billing codes. These codes come from your medical provider (actually, the medical biller in the office), and once they're submitted to the insurance company, they're paid based on the agreement the insurance company has with the hospital where your provider practices. They'll pay to the limit of your plan.

So what happens if someone is spoofing a doctor's office and bills your insurance company for a procedure you didn't have that might be billed at $80k? You'll get an EOB, your doctors will never know (they weren't the ones who billed, so they don't receive notification of anything), and unless you're close to your lifetime maximum in your insurance, maybe the insurance company doesn't even bat an eye. Someone just got away with massive insurance fraud, and there's no real clear way to know it even happened unless someone - you or your insurance company - just happened to notice it was paid out. And if that's the only trigger, then the hacker already has the insurance money.

Go ahead, say it. Insurance fraud is a victimless crime, right? Seems like it, but here's the rub. With a badly broken healthcare system, and a medical information system in its infancy, we can't afford to be paying for massive losses that are the potential here. At some point this is going to hurt you and me. How? Maybe insurance payment gets declined for me because my insurance company thinks I've already had a procedure. Maybe I hit my lifetime maximum because someone had fraudulently billed against it - and now I'm facing a catastrophic illness while having to sort out that my PHI was hacked?

I can come up with a couple of scary scenarios without much thought. Imagine what real criminals can devise with time, money, and intent.