A Florida man pleaded guilty in federal court to conspiring to buy and sell more than 2.6 million Medicare beneficiary identification numbers, along with other personal identifiers. The Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) is a law that makes it illegal to buy, sell, or distribute Medicare beneficiary identification numbers without proper authority. This is one of the first prosecutions brought under MACRA.
As part of his plea, the defendant admitted that he and his co-conspirators used “data mining” and “social engineering techniques” to collect Medicare beneficiary information, which he then advertised and sold online. The trafficked information included beneficiary names, addresses, dates of birth, social security numbers, and Medicare beneficiary identification numbers. According to the charges, some of the illicit transactions involved foreign actors, including sellers in the Philippines.
Medicare beneficiaries who believe they have been a victim of medical identity theft can file a complaint with the HHS-OIG hotline by calling 1-800-HHS-TIPS (800-447-8477) or with the Centers for Medicare and Medicaid Services by calling 1-800-MEDICARE (1-800-633-4227).
Compliance Perspective
Issue
Medical identity theft occurs when someone’s personal information, like their name, Social Security number, or Medicare number, is stolen. Criminals or fraudulent providers use those medical identities to get medical care, buy drugs, or submit false billings to Medicare/Medicaid under that stolen name. Phishing is a form of social engineering in which a cyber threat actor poses as a trustworthy colleague, acquaintance, or organization to lure a victim into providing sensitive information or network access. The lures can come in the form of an email, text message, or even a phone call. If successful, this technique could enable threat actors to gain initial access to a network and affect the targeted organization and related third parties. The result can be a data breach, data or service loss, identity fraud, malware infection, or ransomware. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization. Covered entities are required to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting electronic protected health information (e-PHI).
Discussion Points
- Review policies and procedures related to HIPAA, PHI, the Privacy Rule, and data integrity. Ensure that they address how to avoid falling prey to security breach efforts by unauthorized individuals, and how to guard against and detect malicious software. Update as new information becomes available.
- Train appropriate staff on HIPAA, PHI, and the Privacy Rule, including how to avoid phishing schemes, malware exposures, unauthorized release of PHI, and how to detect malicious software and report such detections. Provide additional training at least annually and when new threats and security information become known. Document that these trainings occurred, and file the signed training document in each employee’s education file.
- Periodically audit to ensure that staff are adhering to data integrity security measures, and to ensure that the facility’s policies and procedures for HIPAA, PHI, and privacy are being followed. Also audit to make sure computers and other devices are regularly scanned and updated.
*This news alert has been prepared by Med-Net Concepts, LLC for informational purposes only and is not intended to provide legal advice.*
