A Trip to the Pediatrician’s Office May Cure the Sickness, But Could It Put Your Child’s Identity at Risk?
By the time children are six years old, they have probably been to the pediatrician more than 10 times for wellness checkups alone. With many children continuing to see their pediatricians through their teen years, these office visits – and the information collected at them – all add up. As a parent, you trust the pediatrician and the office staff to take care of your child’s health, but can you trust that your child’s personal information will be securely protected and kept out of harm’s way? Assuming this has not previously crossed your mind, increasing your level of awareness – just as is done with an annual health check – can help to protect your child’s identity from being compromised and exploited. Health Care Data Breaches on the Rise The U.S. Department of Health and Human Services has reported that health care data breaches are on the rise. Hackers go where the opportunity is, and medical practices that specialize in pediatric or adolescent medicine provide a fertile ground for criminal enterprises that profit from the theft and sale of personally identifiable information (PII). In large part, this focus on the records of children is driven by the fact that the PII of children generally is pristine (e.g., no credit history, earnings history, etc.) and can, therefore, lend itself to being readily exploited. In fact, children’s identities are often considered more valuable than those of adults because the information can provide a clean slate for criminals looking to build new identities for themselves. Additionally, the data can be sold to other criminals to use to their own advantage. Doctors’ Offices Are Particularly Susceptible to Attacks Not only do these health care providers hold valuable patient-related information, but due to their smaller size and scale, many may not have the resources or knowledge necessary to insulate themselves from an attack by a criminal who is intent on stealing such highly sought-after information. Medical professionals are trained to prevent and treat infections in people, not to defend against ransomware, phishing emails, or other types of cyber attacks. Medical office managers may think “We’re small. Who would try to steal our data?” Yet small and medium-sized businesses of all types are susceptible and attractive potential victims to hackers, who view these enterprises as soft targets precisely because such businesses may lack the knowledge and extensive resources needed to invest in effective cyber security measures, according to the National Institute of Standards and Technology (NIST). Recognizing this issue, just this past May, the U.S. House Committee on Science, Space, and Technology voted the NIST Small Business Cybersecurity Act of 2017 out of Committee, with Committee Chairman Lamar Smith observing, “Many small businesses lack the expertise to successfully monitor and protect their computer systems….” If passed into law by the full Congress, this proposed legislation carries with it the prospect of helping such small businesses better manage their cyber security risks. Compounding this already challenged security environment that is characteristic of small businesses, many medical providers have outsourced their billing and collections function to third-party companies in order to save costs. This outsourcing to a third-party adds yet another layer of cyber and data security vulnerability to the mix. Many of the employees of these billing companies may work from home, using the same computer and email address for both business and personal activity. The existence of such factors could make such billing and collections vendors more susceptible to phishing or other cyber attacks that give hackers an easy path to unencrypted files containing the personal medical information of patients. The Symptoms of Child Identity Theft If your child’s medical records have been compromised, the doctor’s office should notify you as soon as it learns of the incident and loss of patient records. However, like many organizations that have been compromised, a medical practice may not immediately realize that it has fallen prey to an attack or that a data loss incident has occurred. Therefore, as with a cold or fever, a parent must be ever vigilant and watchful for the typical symptoms of identity theft: Receiving collection calls for past due debts in your child’s name. The delivery of Explanation of Benefits (EOB) statements from a medical insurer for an illness that your child never suffered. The receipt of IRS notifications indicating that a tax return has not been filed or that your child’s Social Security number has been used on another person’s tax forms. Receiving bills and/or pre-approved credit offers in your child’s name. Denial of any government benefits. The Old Adage – “An Ounce of Prevention Is Worth a Pound of Cure” – Still Holds True Here are some things you can do on behalf of your child to protect his or her personal information and medical records: Do not provide Social Security information even when asked. Do not give your child’s Social Security number to the doctor’s office. Staff may ask for it, but the only thing they actually need is your insurance identification number. Avoid entering personal data online. Don’t use online forms. Many medical practices now ask patients to fill out information forms online, but the time you save doing this is not worth the risk associated with having your child’s information stored in an online environment that may not be completely secured. Request hard copies of medical information. Insist on printed results. Some doctors now encourage patients to log in to a portal to access test results and other information. Most of these systems do not support two-factor authentication, relying on only a username and password to secure critical information. Get identity theft monitoring for all family members. Enroll in an identity theft plan that provides coverage for your entire family, including monitoring the names, addresses, and Social Security numbers of eligible minor children. As a parent, you do everything you can to protect and care for your children. Do not forget that their identities are worthy of a similar level of care. Safeguard their medical information today, and as they grow up, teach them how to keep their identities and personal information safe. A child’s identity is an incredibly valuable asset that should be monitored and guarded.