The recent data breach in which 1.2 million Cook County Health and hospital system patients had their information exposed wasn't a typical breach, according to experts.
The breach took place between March and May, with patient names, social security numbers and personal medical information exposed. That private medical information can be used against you in very malicious and surprising ways.
Experts said medical information is 10 times more valuable on the dark web than stolen credit card numbers, and the fallout can last for years.
If you were among the patients who received a letter in the mail saying your information was exposed in a data breach, here’s what you need to know.
Security experts with Binary Defense say there are two main types of scams that are specific to medical information.
Medical blackmail
Feeling out of the loop? We'll catch you up on the Chicago news you need to know. Sign up for the weekly Chicago Catch-Up newsletter here.
The first is extortion, where scammers actually blackmail you based on your medical history, medications or diagnoses.
"You see it sometimes in cases with like mental health or mental health issues that arise. An attacker will reach out and be like, 'hey, I know you have x,y and z as a diagnosis. Unless you want your ...employer to know that you've been diagnosed with this, you'll do something that could potentially, you know, cross a line,'" said Jake Aurand, a member of the counterintelligence team with Binary Defense.
Fake medical bills and collection calls
Local
Another scam involves fake medical bills. Since scammers could have your entire medical history, they know what services you’ve used and can be pretty convincing if they call you to collect.
"They could reach out via telephone or via email and pretend or fraudulently create medical bills that they're trying to make somebody pay. So they'll say, 'Hey, this hasn't been paid for. And if they have the diagnosis or any of the medical bills that were stolen, they're trying to get people to transfer funds into the wrong account so the [scammer] then is able to take that money," said Aurand.
You may not get these fake bills or blackmail attempts today, tomorrow or even this year. These scammers play the long game, experts said. And it could be years before anyone tries to use this leaked medical information to scam or extort you.
How to protect yourself
Set up credit monitoring so you can at least be aware if someone is using your information to apply for loans or credit cards.
For those patients whose Social Security numbers may have been impacted, Cook County Health said it will offer the opportunity to enroll in credit monitoring and identity protection services at no cost. Patients who may have been affected and would like more information can call 888-867-3881.
On top of that, be extra vigilant about calls or emails seeking payment from anyone claiming to be affiliated with your hospital or medical provider. Go the extra step and verify if you have any bills and how much they are.
Experian has the following advice for patients after a medical data breach:
You can check your credit reports from each of the three major credit bureaus every 12 months at annualcreditreport.com or get a free copy of your Experian credit report on Experian's website. You also have the right to place fraud alerts or credit freezes on your accounts to prevent or warn you if anyone tries to open accounts in your name.
You also should pay attention to activity on your medical financial accounts, such as a Healthcare Savings Account or a Flexible Spending Account, where a hacker could withdraw money once they grab your personal information.
How to get things back on track after a health care breach
If you do get the sinking realization that your medical information has been stolen, here are three steps you can take to protect yourself and minimize the damage.
1. Gather documents and file reports
- After checking your credit report and collecting any statements or paperwork, you'll want to file an Identity Theft Report with the Federal Trade Commission.
- If it's your Medicare or Medicaid information that's been nabbed, report that online or call 800-HHS-TIPS.
- Additionally, if there are medical collections appearing on your credit report, you have the right to contact Experian or the other credit bureaus and to get the fraudulent information removed.
2. Collect current copies of medical records
Get current copies of all your medical records from your doctors and all other health care providers, along with your medical insurer, plus the records of any family members who might be affected. Go through the reports, looking for any treatments, procedures or prescriptions that weren't authorized for you and your family.
In some cases, a scam artist may have maxed out your benefits for the year or done something else that might threaten your coverage and eligibility for treatment.
You'll want to check that all your personal information is correct, from your mailing and billing address to your blood type. If your medical records have been changed to reflect treatment for an imposter, they could contain dangerous errors, such as listing incorrect allergic reactions to some medications, a chronic condition such as diabetes, conflicting medication lists or even an incorrect blood type. If you're in an accident and brought into an emergency room, that kind of falsified information could prompt a dangerous or even fatal medical mistake.
This can be time-consuming and frustrating, but your best approach is to work through a complete list of each doctor, clinic, hospital, pharmacy, laboratory, health plan, and locations where a thief may have used your information, according to the Federal Trade Commission. If a thief received treatment or a prescription under your name, request the records from the health provider and any pharmacy that might have filled a prescription.
In the situation that a medical provider refuses to provide records out of concern for an ID thief's medical privacy, you have the right to appeal under federal law. According to the FTC, you should contact the person listed in the provider's Notice of Privacy Practices, the provider's patient representative or its ombudsman. If you still can't get your records within 30 days of your written request, you may contact the U.S. Department of Health and Human Services' Office for Civil Rights, by calling (800) 368-1019 or emailing ocrmail@hhs.gov.
In addition, federal law allows you to get one free copy of the accounting from each of your medical providers every 12 months, which is a record of anyone who's received any of your medical information from that provider. Request a copy of the "accounting of disclosures" from each of your health plans and providers. This will explain who received your medical information, what was sent, why and when it was distributed.
Getting copies of your medical records can cost money. Your individual state health privacy laws may make it easier for you to obtain records.
3. Ask for corrections
Once you've reviewed your health records, report any incorrect information and request corrections in writing. You can copy the records and highlight or circle any wrong entries to be deleted, and write out additions or corrections. Make copies of everything you send, keep the originals and make a record of what was sent, where and when.
Ask the provider to correct or delete each error. Send your letter by certified mail, and ask for a "return receipt," so you have proof of what the plan or provider received. Include a copy of the police report and the Identity Theft Report filed with the FTC.
The health care provider is required to correct your records and alert any laboratory or other provider that may have received incorrect information. The FTC advises that if a provider won't make corrections, you should ask that a statement of your dispute and corrections be included with your medical records.
Once you've obtained your medical records, keep a clean, corrected set on file and update it as you undergo any other medical treatments or procedures to make sure you have an accurate, complete set of your own.
