Is Your Doctor’s Office the Most Dangerous Place for Data?

NEW YORK (AP) -

Everyone worries about stolen credit cards or hacked bank accounts, but just visiting the doctor may put you at greater risk for identity fraud.

Those medical forms you give the receptionist and send to your health insurer provide fertile ground for criminals looking to steal your identity, since health care businesses can lag far behind banks and credit card companies in protecting sensitive information. The names, birthdates and — most importantly — Social Security numbers detailed on those forms can help hackers open fake credit lines, file false tax returns and create fake medical records.

“It’s an entire profile of who you are,” said Cynthia Larose, chair of the privacy and security practice at the law firm Mintz Levin in Boston. “It essentially allows someone to become you.”

Once someone creates a stolen identity with a Social Security number, it can be hard to fix the damage. A person can call a bank to shut down a stolen credit card, but it’s not as easy of a process when it comes to Social Security numbers.

“There is no such mechanism with Social Security numbers and our identity,” said Avivah Litan, a cybersecurity analyst at the research firm Gartner. “You can’t just call the bank and say, ‘Give me all the money they stole from my identity.’ There’s no one to call.”

So being that the data is so vital to protect, health care companies are taking every precaution to defend against hackers, right?

Not necessarily. The FBI warned health care companies a year ago that their industry was not doing enough to resist cyberattacks, especially compared with companies in the financial and retail sectors, according to Christopher Budd of security software company Trend Micro.

Anthem, the nation’s second-largest health insurer, said last week that hackers broke into a database storing information on 80 million people, including Social Security numbers.  The company had “multiple layers of security” in place before the attack, said David Damato, managing director at FireEye, the security company hired by Anthem to investigate the breach.