[SecurityRatty] tag: prescription

CBAC & Medical Identity Theft

Thu, 10 Jul 2008 06:09:41 +0000

Good story to keep in mind for those of you working on CBAC. Claims neeed protection and verification. Why steal an identity when you can capture a claim? (hattip: askelizabeth)

The Sopranokovs

The Russian mob comes to town with a new scam—medical identity theft.

When FBI special agent Ted Price peered through the window of a dingy brick storefront on Southwest Morrison Street in March, it was what he didn’t see that caught his attention.

The business, called UnimedCorner, claimed to provide ailing seniors with orthotics—braces and other devices to correct foot, joint and back problems.

Price and other federal investigators were skeptical.

On Unimed’s showroom floor, Price saw wheelchairs, motorized scooters, a variety of canes and, on the walls, a selection of amateurish paintings and framed photographs. There was no evidence, however, of the kinds of equipment for which Unimed had billed Medicare nearly $2 million in the previous couple of months.

“I observed wheelchairs and canes through the window but did not see any orthotics in the store,” Price later wrote in a search-warrant affidavit. “It is a sign of fraud that the store is not stocking the items [for which] it is billing.”

By the time Price arrived on the scene, the company’s owner, a shadowy Russian immigrant named Alexandr Shcherbakov, was long gone.

Today, Shcherbakov’s store sits undisturbed. The message light on the phone blinks, dead potted plants droop and a stuffed toy monkey slumps in a glass display case.

And behind the cash register hangs a framed poster of television’s best-known mobsters, the Sopranos.

From interviews and information presented in federal affidavits, it is clear Shcherbakov moved to Oregon to commit a crime elegant and lucrative enough to make Tony Soprano envious: medical identity theft.

...

“Medical identity theft is the new frontier for organized crime,” says Alex Johnson, a former FBI agent who investigates fraud for Regence BlueShield. “Pretty much anybody can set up a mom-and-pop operation and start cranking out claims.” Someday, most Americans will need a cane, wheelchair, home hospital bed or another of the items healthcare professionals call “durable medical equipment,” or DME.

For those over 64 and without private insurance, there’s a good chance federally funded Medicare will pick up the tab for that equipment. Last year, according to federal statistics, Medicare spent $8.6 billion on DME.

Here’s the way the system is supposed to work: A doctor prescribes a device such as a wheelchair for a patient, who presents his prescription to a DME supplier. The supplier provides the equipment and bills Medicare, which typically pays 80 percent of the cost. Unlike pharmacists, who fill prescriptions under strict scrutiny of state and federal watchdogs, DME suppliers are lightly regulated. “DME is very vulnerable to fraud,” says Consuelo Woodhead, the chief healthcare fraud prosecutor for the U.S. Attorney’s Office in Los Angeles. “It doesn’t require any background in medicine, any kind of professional licensure or appreciable capital.

There are barriers of entry in other medical fields, but not in DME.” To operate, DME suppliers simply need a place of business, a business license and liability insurance. Unlike pharmacists, DME suppliers operate under an honor system: The feds count on them to supply the equipment they claim to provide to the beneficiaries who need it.

That honor system is not working.

The epicenter of DME fraud, according to the federal Department of Health and Human Services, is South Florida, where Medicare billing for DME quadrupled from 2002 to 2006 to $1.7 billion. Investigators found much of that increase was due to fraud. In 2006, federal inspectors revoked the licenses of 634 DME suppliers in South Florida, nearly half the DME dealers in the region.

Later the same year, raids in Southern California yielded similar results: The feds shut down 95 DME suppliers. Many of the DME suppliers shut down around Los Angeles were run by immigrants from the former Soviet Union. It’s probably no coincidence that when the feds raided Los Angeles DME suppliers, some Angelenos fled to cities where there was less scrutiny—such as Portland.

Health care practices and UCSF patient records exposed

Wed, 07 May 2008 12:10:17 +0000

Technorati Tag: Security Breach

Date Reported:
5/1/08

Organization:
University of California

Contractor/Consultant/Branch:
University of California at San Francisco ("UCSF")
Target America Inc.

Victims:
Patients

Number Affected:
6,313

Types of Data:
"The information included names, addresses, medical departments and some patient medical record numbers"

Breach Description:
"(05-01) 17:22 PDT San Francisco -- Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft"

Reference URL:
San Francisco Chronicle
CNET
United Press International
UCSF News Release

Report Credit:
Elizabeth Fernandez, San Francisco Chronicle

Response:
From the online sources cited above:

Information on thousands of UCSF patients was accessible on the Internet for more than three months last year, a possible violation of federal privacy regulations that might have exposed the patients to medical identity theft, The Chronicle has learned.

The information accessible online included names and addresses of patients along with names of the departments where medical care was provided.

Some patient medical record numbers and the names of the patients' physicians also were available online.

The breach was discovered Oct. 9, but the medical institution did not send out notification letters to the 6,313 affected patients until early April, nearly six months later.

Sensitive information can be used by employers, health insurers and other entities to discriminate

thieves can use purloined information to obtain medical treatment and prescription drugs and to file false medical claims.
[Evan] Purloined is a funny word.

"This is a large and very significant data breach," said Pam Dixon, executive director of the World Privacy Forum

"To commit medical identity theft, all you need is a patient's name, address and the name of the hospital. If you have a doctor's name and the medical department where the patient was being treated, it is gold. If you add a medical record number, it is a disaster for patients."
[Evan] I don't think most people know this. Many people think that they are fine if there were no Social Security numbers or credit card numbers exposed.

Hospital officials say there's no indication of identity theft to date.

UCSF had shared information on its patients with a vendor, Target America Inc., which mines electronic databases amassing information about a nonprofit's potential or existing donors.

Target America, whose Web site says it maintains "the highest standards of security," tunnels through millions of electronic records to help nonprofits identify and cultivate future donors as well as current donors "who could be giving you more." Additionally, it unearths financial information about donor friends and business acquaintances - even offering maps of a donor's neighborhood.
[Evan] Seems wrong, doesn't it? You go to the clinic, the clinic farms out your information to a company that determines whether or not you are a good candidate to hit up for money (you probably don't pay enough in health insurance, deductibles and co-pays). If you are a deemed a good donor candidate, you get emails and letters that you never signed up for. The purpose of the emails and letters is to build a rapport with you with the intention of getting you to donate money. Personally, I would be more willing to donate if an organization were straight with me.

The breach was discovered, said UCSF officials, when the hospital was alerted that a patient's name had been queried on the Internet "and it was listed in association with UCSF."

Corinna Kaarlela, UCSF director of news services, said immediate action was taken to close off the information. Ten days after the breach's discovery, UCSF ended its business agreement with Target America.

Nancy Johnson, president of Target America, said she could not discuss the matter because of client confidentiality.
[Evan] There is no mention of this breach anywhere on Target America's site either. Sweep it under the rug and maybe it will go away?

The breach spotlights a little-known practice among medical institutions to plow the ranks of patients for fundraising purposes.

Hospitals and other health care providers are turning patients into "fundraising free-fire zones," said Dr. Arthur Caplan, chairman of the department of medical ethics at the University of Pennsylvania School of Medicine.

"The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising," Caplan said. "I don't think people are aware of the degree to which this is occurring, whether it's by a hospital or a nursing home or a hospice."

Since 2004, UCSF said it provided the names and addresses of 30,590 patients to Target America, paying the company $12,000 a year.

Hospital officials said it contracted with the company to assist "with identifying names of individuals who could potentially receive communications from UCSF."
[Evan] Why not say it like it is. The true motive?

"These opportunities included upcoming events, developments in specific UCSF programs, and opportunities to support the University."
[Evan] Closer.

After the breach was discovered, the hospital said it required Target America to hire "an objective third-party firm" to investigate. UCSF received the forensic analysis report March 26. It showed that information was potentially accessible from July 1 to Oct. 9 last year "if a query for a specific name was made." Notification letters were mailed to patients April 4.

While UCSF officials stressed that the breach did not involve Social Security numbers, Dixon said that patients could nonetheless be at risk for harm.

"With medical identity theft, there is so much on the line - only minimal information needs to go out for there to be a problem," she said.

Linking patients to the departments where they were treated, for instance, is problematic because it can serve as a key identifier of a patient's health condition.
[Evan] Don't think that this doesn't happen. Insurance companies are not in business to help people, they are in business to make money. They want to identify as many pre-existing conditions as possible.

UCSF officials say the use of a department's name is not prohibited under HIPAA. But it acknowledged that such a disclosure is against its own "best practice" policy.
[Evan] I think that this is open to interpretation. HIPAA is not clear (nor can it be) in all circumstances, and some people would argue this claim with UCSF officials.

"Steps have been taken to reinforce this practice,"
[Evan] Like what? Are "steps" enough?

For one outraged UCSF patient whose name was part of the online data disclosure, the incident involved an alarming breach of medical trust.

"They told a fundraising company that I'm a patient - morally this should not ever be done by any health care provider," said the patient, a retired executive living in San Francisco. He asked that his name not be published.

"Medical records are supposed to be of utmost privacy," he said. "The University of California is high up in the totem pole for quality medical care. When you go there, the first thing you see are notices regarding patient privacy. Why in the world would they give out my private information? It boils down to monetary greed."
[Evan] There is no doubt that UCSF Medical Center is an outstanding health provider in terms of providing innovative medical care and saving lives. One of the best from what I read.

UCSF is committed to maintaining the privacy of patient information and takes any compromise of patient information very seriously. When patients are seen at UCSF, they are provided with a Notice of Privacy Practice (NOPP), which describes how UCSF may use and disclose their medical information in accordance with the Federal HIPAA Privacy Rule.

UCSF continually modifies systems and practices to enhance the security of patient information.

Commentary:
Hmm. I agree with Dr. Caplan when he stated that "The breach is a symptom, but the real ethics challenge is the extent to which health care institutions are tracking patients and their families for nonmedical reasons - for fundraising, marketing, advertising,". There is not much discussion surrounding the details of the actual breach itself. I have also read concern of the length of time it took before patients were notified.

From Target America's "Why Target America?" page:
"Target America data base, culled from 75 data sources, contains more than 7 million records of the wealthiest and most generous people in the nation -- the top 5 percent in terms of income, assets, and philanthropic history. Ninety-four percent of the individuals on the data base give more than $5,000 a year to charities. The breadth of our data is unique: we focus not only on high-profile, corporate America, but include emerging sources of wealth such as minority-owned business and women entrepreneurs."
Looks like a pretty important database to me.

There are no apologies made by UCSF or Target America for the breach.

Past Breaches:
University of California:
April, 2008 - University of California Irvine students are hit with mysterious breach

Microsoft Senior PC - not just for the elderly

Tue, 06 May 2008 15:00:00 +0000

My mother-in-law is, to give her some credit, an intelligent lady. However, faced with an upgrade from Windows XP to Vista and IE7 from IE6 and you have a situation akin to explaining quadratic equations to a two year old. Both circumstances will result in heavy objects being thrown around in frustration. So, the idea of Microsoft to provide a range of "Senior PC packages" is, in my mind, borderline genius and something I wish I had thought of first. Computer Weekly mock the idea in this weeks magazine, something I think is very unfair given that I'm sure some of their editorial team are getting on a bit and would probably be able to make good use of the built-in prescription software... If home computing can be made as easy as taking the PC out of the box, plugging it in and turning it on (not a word from the Mac users please - I know you've been able to do this for years) then that's to be encouraged for everyone, not just the elderly. And if it stops the "support" calls from my mother-in-law then that's priceless!

Human error is blamed in WellCare Health Plans breach

Wed, 09 Apr 2008 08:39:08 +0000

Technorati Tag: Security Breach

Date Reported:
4/7/08

Organization:
WellCare of Georgia, Inc.*

*WellCare Health Plans, Inc. provides managed care services exclusively for government-sponsored healthcare programs, focusing on Medicaid and Medicare. Headquartered in Tampa, Florida, WellCare offers a variety of health plans for families, children, the aged, blind and disabled and prescription drug plans, currently serving more than 2.3 million members nationwide.

Contractor/Consultant/Branch:
None

Victims:
Members of "Georgia Families"

Number Affected:
up to 71,000

Types of Data:
"name, birth date, dates of eligibility, Medicaid or PeachCare for Kids member identification number, social security number or other health plan related information"

Breach Description:
"ATLANTA, GA (April 7, 2008) — WellCare of Georgia, Inc. today announced that a human error made some Georgia Families member data available on the Internet. On March 28th, WellCare secured the data on its own computer systems and by April 2nd, all WellCare member information had been removed from the Internet. "

Reference URL:
WellCare announcement
Triangel Business Journal
The Atlanta Journal-Constitution
The Tampa Tribune

Report Credit:
WellCare Health Plans

Response:
From the online sources cited above:

Private records of up to 71,000 Georgia families who are members of health insurance programs for the poor or working poor were accidentally made available on the Internet for several days, and some of the data may have been viewed by unauthorized people, Tampa-based WellCare Health Plans Inc. said today.

“We were able to determine what data was available on the Internet,” explained Anil Kottoor, WellCare’s chief information officer, “and we are notifying anyone who might have been affected.”

a human error allowed the information to be accessible for an unknown period of time, but that the secret data was removed from the Internet on April 2. It was not immediately known when the data breach occurred or how long the secret data was available.

The state of Georgia said it was notified March 31.

WellCare believes that this affected only our Georgia Families membership in Georgia, and not our Medicare coordinated care, private fee-for-service or prescription drug plan membership.

The files exposed did not contain credit card, debit card or financial account numbers.

They may have contained personal identifying information, such as a member’s name, birth date, dates of eligibility, Medicaid or PeachCare for KidsTM member identification number, social security number or other health plan related information.

about 10,500 members' Social Security numbers may have been viewed by unauthorized people on the Internet, all members of Medicaid or PeachCare.

"There is a possibility that an initial 59,000 members may have had some personal information made accessible, so we are notifying them as well, just to be safe," Knapp said. (spokeswoman Amy Knapp)

At this time, WellCare is not aware of any misuse of its member information due to the accidental exposure of the file on the Internet.

A Web developer prepared a copy of a DCH report folder that was "to be deployed to our Georgia Web portal" but instead made it accessible on the Internet.
[Evan] Ugh. I can state from a lot of first-hand experience that developers can either be your information security best friend or your information security worst enemy. Developers that put functionality and usability first without taking information security into account along the way can be dangerous. Effective information security governance and information security training and awareness can help significantly. Having said all of that, people are people and we all make mistakes. I wonder if there is room for significant process improvement here though.

She said at least 53 folders of names were accessed 248 times.
[Evan] This means that the folders and files did not go completely unnoticed.

WellCare is now notifying in writing the members who could have been affected by this incident. Members should receive those letters by the middle of this week.

WellCare is offering to pay for one year of credit monitoring for those individuals.
[Evan] Every time I see this offering in a breach notification if feel like this is really short-sighted. Better than nothing I guess, but people need to recognize it for what it is.

“We regret that this incident occurred,” said Mike Cotton, president of WellCare’s Georgia region. “WellCare takes the privacy and security of personal information very seriously. It is an honor to serve our members in Georgia, and we apologize for any inconvenience this issue has caused.”

To ensure its data security for the future, WellCare has retained a national information technology firm to perform a full assessment of its security and privacy controls.
[Evan] I wonder who. A "national information technology firm" means very little to me. The "national information technology firm" may do a good job for helping improve "information technology", but who is going to handle "information security"? Information security is NOT an information technology issue. It's bigger than that.

Commentary:
This breach is being chalked-up as human error, but I think there are many times when "human error" could have been avoided by effective processes and controls. I appreciate WellCare's candid explanation and attempt to make things better.

Past Breaches:
Unknown

Some Massachusetts seniors are at risk

Tue, 04 Dec 2007 13:17:26 +0000

Technorati Tag: Security Breach

Date Reported:
11/30/07

Organization:
State of Massachusetts

Contractor/Consultant/Branch:
Executive Office of Health and Human Services

Victims:
Prescription Advantage insurance program members*

*Prescription Advantage is a state-run program that offers drug insurance to seniors in Massachusetts.

Number Affected:
150,000

Types of Data:
"personal information"

Breach Description:
Authorities arrested an identity thief in August, 2007 who had been using information obtained from the Massachusetts Presrciption Advantage program in an attempted identity theft scheme. It is not yet clear how the thief obtained the information.

Reference URL:
PC World Story
Information World Story
The Boston Herald Story

Report Credit:
Associated Press via The Boston Herald

Response:
From the sources cited above:

Thousands of senior citizens are being warned about a computer security breach involving the state’s Prescription Advantage program.
[Comfyllama] It seems like senior citizens are among the easiest prey for identity theives.

Executive Office of Health and Human Services spokeswoman Alison Goodwin wouldn’t say what kind of personal information may have been compromised, such as names, addresses or Social Security numbers.

Local authorities arrested a lone identity thief in August who had been using information taken from the program in an attempted identity theft scheme, said Alison Goodwin, a spokeswoman for the state's Executive Office of Health and Human Services.

Goodwin could not add many details on the nature of the breach, citing an ongoing criminal investigation, but she said Prescription Advantage is conducting an internal review of the incident to determine if additional security measures might be required.
[Comfyllama] If data leaked, then I would say that additional security measures are probably required. Sounds obvious, but to some it just doesn't sink in.

The data breach did not affect all members of the program, Goodwin said
[Comfyllama] I wonder how this conclusion is drawn? If the breach does not affect all 150,000 then why inform 150,000? Maybe Prescription Advantage doesn't know who was affected and who wasn't.

Prescription Advantage recently began notifying 150,000 members potentially affected, as required by state data-breach laws.

"A few members were recently the victims of attempted identity theft," the state said in a Nov. 19 letter sent to possible victims.
[Comfyllama] OK, here it states that a few members were victims of identity theft and earlier statements said the identity thief "had been using information taken from the program".

The staff that maintains the program has "no reason to believe" that any Prescription Advantage members' data has been misused, the letter adds.
[Comfyllama] Here, the letter states that there is no reason to believe that any data was misused?! A little confusing and contradictory. If confidentiality cannot be assured, assume it has been lost.

Members who have questions about the breach can call Prescription Advantage during regular business hours: 1-866-523-6846 or 1-877-610-0241 for those who are hearing impaired.

Commentary:
Much is left in the dark about this breach. I certainly hope that more details are being shared with victims. They should demand it.

I am curious about too many things to even mention them all.

Past Breaches:
October, 2007 - Massachusetts DPL sends Social Security numbers in mail