Medical Identity Theft

There was a recent article on medical identity theft in the Daily Herald I wanted to share with everyone.

http://www.dailyherald.com/story/?id=158140&src=120

If you’ve heard me speak before, you know that medical identity theft is one of the “big five” most common kinds of identity theft. The big problem is that there is really no way to clear up your identity. There are no laws that force medical providers or insurance carriers to notify and clear up false claims. As health insurance premiums and costs continue to skyrocket, more people will look towards stealing another’s identity to gain access to a doctor.

AS AN INDIVIDUAL

What can you do to minimize your having your medical identity stolen? First, make sure you get a copy of your credit report from all three bureaus on an annual basis. Sometimes insurers or providers send unpaid bills to collection agencies. Second, get a copy of your medical information from the Medical Information Bureau (MIB). Go to either www.mib.com/html/request_your_record.html or call 866-692-6901.

There has been a push lately to have everyone’s medical records available electronically. It would be a double edged sword. On one hand, it would be easier to clear up problems. On the other hand, you’ll probably end up with 10 times more identities stolen than now.

Finally, be careful with your health insurance card. Make sure you only show it to qualified medical people and try to always keep sight of it. If you lose your card, call your insurance company and report the loss and demand that your ID numbers be changed.

AS AN EMPLOYER

You can communicate the importance of employees keeping their health insurance cards and medical information private. As part of your annual talk about privacy and private information (both employees’ and customers’), include medical identity theft into the mix. If you don’t have a manadatory conversation about private information, then you need to start. Call me on how to get started. You may qualify to have me come out and do it for you for no charge (including providing privacy policies, etc.).

Good luck out there. If you have any other suggestions, please post them here.

Robert Slayton is a Certified Identity Theft Risk Management Specialist who has been trained to assist companies to mount an affirmative defense against possible fines and lawsuits resulting from data breaches and stolen information.

Robert will be speaking June 20th at the Aurora Public Library

I will be speaking at the Aurora Public Library in Aurora, IL on Protecting Yourself from Identity Theft. It will occur at the main library at 7 pm, Wednesday June 20, 2007. If anyone would like to go, you can get more information and register at the following link:

http://www.aurora.lib.il.us/evanced/lib/eventcalendar.asp?libnum=0

Click on the title located on the 20th of June.

This talk will be 45 minutes long and designed for individuals.

I’d love to see everyone there!

 Robert

Identity Theft, the Internet, and your Employees could send you to Jail: Mitigating Internet Security Risks

Note: This article will be published in the June 25th edition of The Business Ledger (http://www.thebusinessledger.com/).  

New laws, new fines and jail time for owners and executives

An area of risk that most organizations large and small neglect to address, despite the well publicized increase in cases of identity theft, is the protection of their Internet connections.  If you store sensitive information[1] about your employees or clients on your computers the state and federal governments require you to take a proactive approach to your Internet security NOW.  This is of particular importance for organizations that are subject to federal regulations such as HIPAA (which dictates how patient health information must be protected), the Gramm-Leach, Bliley Act (which dictates how personal financial information must be protected), PCI (Payment Card Industry regulation dictates how credit card information must be protected).  These laws carry substantial financial and in some cases, criminal penalties for violations.  For example, HIPAA financial penalties are as high as $50,000 per exposed patient record.   The fines can be as high as $250,000 per exposed patient record and carry up to 10 years in jail for the owners and executives of the business. If an organization is proven to have purposely exposed patient information for financial fraud, or were negligent in protecting the patient information.  On top of the potential financial and criminal penalties are the legal fees to defend an organization.[2] Just recently the Senate passed the “Identity Theft Prevention Act”, bill S. 1178[3] that would require all businesses to “develop, implement, maintain, and enforce a written program for the security of sensitive personal information the entity collects, maintains, sells, transfers, or disposes of, containing administrative, technical, and physical safeguards.” If this bill makes it through the House, then all businesses would be required to take affirmative action or else be open to fines.  

Employees can jeopardize your business and cost you money

WEB SURFINGEven if you do not store sensitive information about your employees or customers, you are still at risk financially.  Do you know the sites your employees are visiting on the Internet?  Sexually explicit sites are the source of thousands of sexual harassment and “hostile work environment” claims annually that cost employers fines, settlements and legal fees.  Hidden costs include lost worker productivity from non-business related web surfing during business hours.  These hidden costs can add up quickly.  Justified Technology recently worked with a client with 20 employees to calculate they were losing, conservatively, 20 hours per day (1 hour per employee) of productivity.  At an average of $15 / hour including benefits, this cost the business $300 per day or $78,000 per year!  

More hidden costs

VIRUSES,
WORMS, AND TROJANSAnother hidden cost includes fixing computers infected by viruses, worms and Trojans introduced through e-mail, web browsing and inadequately protected Internet connections.  If one computer per month needs to have its operating system and applications re-installed, this can cost the business $500 or more per month.  In addition, an organization can be held financially responsible for failing to fix one or more of its computers infected with various viruses, worms and Trojans if they are found to be the launching point of attacks on another company’s computer systems. How would your customer feel if they found out that the virus in their computer system came from your company? 

Are you protected?

FIREWALLSMost businesses know that they need a firewall.  However, they do not know if it is set up and working correctly.  Ask yourself “When was the last time I looked at the firewall logs?”  We have never met a businessperson that has looked at a firewall log.  Even if they did, they wouldn’t know what they were looking at.  Most technology professionals do not know how to interpret the firewall logs. This is an important part of mounting an affirmative defense if a data breach occurred. A company needs to hire a person or company well versed in firewalls and responding to threats identified in those logs. 

Is your business too small to be a target of hackers?

With few exceptions (e.g. large banks and online stores), hackers rarely know the target of their attacks until they successfully gain access to a company’s computer systems.  The programs that they use to identify targets are indiscriminate.  They systematically look at the addresses on the Internet (which are much like the street addresses of homes and offices) and check for vulnerabilities.  Most organizations do not even know when they have been successfully attacked. Take, for example, TJX Companies, owners of TJ Maxx,
Marshalls, and other stores. Someone had access to their files for 18 months and the company didn’t find out until just recently. To date, they have spent $25 million on resolving this breach. In addition to this, three banking associations have filed lawsuits to recoup costs of replacing clients’ credit cards and paying for fraudulent charges.  

What you can do to protect your company from data breaches

Two actions to take immediately are as follows: first create a policy on web surfing, email, and how to handle private personal, company, and customer data. You can have your attorneys draw the policy up or you can contact us to assist you with templates. 

Second is to use a proven internet security solution. These solutions used to be expensive and only in the financial reach of large organizations, but recently there are now hardware/software solutions that any sized business can afford. When choosing a system, make sure it has the ability to do the following: 

·        Blocks unauthorized access to your network from the Internet·        Blocks viruses, worms and Trojans before they enter your network·        Blocks access to potentially offensive web sites[4] from the computers on your network·        Performs monthly security scans to identify potential vulnerabilities in your Internet security·        Provides weekly or monthly printed reports that describe all of the blocked access attempts, viruses and web sites.  This report is your printed record that demonstrates your due diligence in protecting sensitive information from unauthorized Internet access·        Automatically updates its internal software as new threats are detected on the Internet 

Not all firewalls are created equal

Do not be fooled by the inexpensive firewalls available in retail stores by such manufacturers as Linksys, Netgear and Dlink.  They do not provide the same level of protection as a commercial product. Furthermore, it is not just the hardware, but the expertise to set it up and maintain it that is most important. By hiring a technology firm that specializes in security, you assure that everything is configured and maintained correctly. 

Security that pays for itself

The money you save from recouping lost productivity from blocking unauthorized internet access by your employees will, in most instances, pay for the monthly cost of a complete turnkey security solution in one day, each and every month. It is rare that you can find such a good return on your investment dollars. For more information on the products/services in this article and a free initial technology consultation, please contact the partners of Justified Technology. They have combined, over 80 years of experience helping organizations of all sizes leverage technology to improve productivity, reduce risk and drive revenues and profitability. Check out our website for more information www.justifiedtechnology.com.  Robert Slayton of Robert Slayton Associates is a Certified Identity Theft Risk Management Specialist. He helps implement employee policies and procedures to minimize a company’s exposure to identity theft. Contact Robert for a free initial consultation on your policies and procedures today. You could be eligible for free consultations, policy templates, and employee training! Find out whether you qualify. His website is www.robertslayton.com. 

---

[1] Names and addresses with social security numbers, credit card information, patient health information

[2] Businesses should consult their liability insurance provider to make sure they have a technology rider on their corporate liability policy to cover losses associated with unauthorized access to their computer systems (including legal fees).  This rider is NOT provided in standard coverage.

[3] Go to http://thomas.loc.gov/cgi-bin/query/z?c110:S.1178: for full text of this act.

[4] There are 31 categories in all that can be blocked including Adult/Sexually Explicit, Hate Speech, Gambling, Criminal Skills, Violence, Drugs & Alcohol, Shopping, Sports

Flash Drives, Notebook computers, and Identity Theft

Symantec just released their Internet Security Threat Report which stated that 54% of all data breaches occurred due to loss of a computer or data storage device such as a flash drive (also called a thumb drive) or CD/DVD.

As the Internal Revenue Service lost 478 notebook computers last year and most mid-sized or larger companies lose at least one or more computers per year (typically 2 – 3 per month), it is important to take strong measures to mount an affirmative defense in case you are investigated by the FTC or other agency.

IMPLICATIONS

How many people in your business carry around lap tops, PDAs that store personal/company information, or have something such as a flash drive (these are extremely small devices that plug into the USB port on any computer and can hold 2+ Gigabytes of data)?

If you don’t have a security policy that directly covers these items, you should consider adding one.

SUGGESTIONS

Encrypt the data files on all computers that are portable (notebooks, lap tops, removable hard drives). That way if a criminal tries to access the computer without the original password, they will not be able to read those data files. My recommendation is to encrypt any sensitive files on all computers. While your server might have strong enough protections, typically desktop computers do not.

Make sure that all computers automatically lock after a certain period of time. That means if someone walks away from their computer (for example, a bathroom break or lunch) and forgets to lock their system, the computer will automatically do it for them.

Don’t forget to encrypt emails. Many employees have had personal data or sensitive business data emailed to them that sits, sometimes for years, in their inbox. Make sure that the file folder where the emails reside is encrypted (meaning all the files within that file folder are also encrypted).

Make sure PDAs carry passwords. A better suggestion is to disallow any sensitive data from residing on PDAs (if feasible). Sometimes individual programs will allow you to set passwords to access data files. This is also something to consider (based upon your business model).

Some flash drives come with password protection. Only use flash drives that do. That means convenience for the user and protection for the business.

We will cover more of the security report in subsequent blogs.

Have a question or comment? Please post it below.

A new threat for identity theft – your copier!

BACKGROUND
Yes, it’s true, with the advent of digital copiers that contain hard drives, an identity thief can come and take that information. Sharp has recently released a doc talking about this possible security breach. You can find the article at http://www.sharpusa.com/products/applications/security/1,2701,4-0,00.html 

QUESTION
 Think about how many employees use the business copier to copy their personal tax returns. Enough to make it worthwhile to steal the information. What other confidential information has been placed on the glass to make copies for other employees?Just because a copier is locked up in HR or an executive’s office doesn’t mean it is safe. A tech savvy person on the cleaning crew or disgruntled employee could easily download this information.

RECENT COPIER UPGRADES
If you recently upgraded copiers and traded in/sold your old copier, then you are still at risk. Your business information could still be stored on that old hard drive, much like selling an older computer without wiping it’s hard drive. That being said, if you plan on purchasing a digital copier with a hard drive, then make sure it either encrypts the data, overwrites the information, or has another tested security mechanism.

IMPACT ON INDIVIDUALS 
Let’s talk about individuals and how it impacts us.First, if you use a public copier, you could be at risk. Ask before copying to see if your information will be stored on the copier after you leave.Second, talk to your tax preparer. They make copies of your tax returns for you, make sure that they are aware of the risk and ask what steps they are taking to prevent a breach of data.Third, be ever vigilant ANYTIME that your personal information will be exposed, whether on a copier, over the phone (or cell phone), instant messaging, and internet to name a few.If you have questions or would like to comment, please post here or email me directly. 

Lessons Learned from Wisconsin Printer’s mistakenly printing social security numbers on the outside of 171,000 letters.

Last December the Wisconsin Department of Revenue was informed that their printer mistakenly printed 171,000 labels with the recipients’ social security numbers on the mailing labels exposing them to potential identity theft. Of those, approximately 131,000 were mailed. This blog will briefly analyze what happened and what could have been done differently to prevent this in the first place.BACKGROUNDThe Wisconsin Department of Revenue (WDR) sent their printer, Ripon Community Printers, a file containing the contact information (including social security numbers) of residents designated to receive a tax booklet.Later the WDR was informed by a recipient that their social security number was printed in the address section of the booklet. This led the WDR to contact the printer and post office to mitigate damages. It turned out that the printer’s computer addressing program had a glitch that caused the social security numbers to be printed on the address label.RAMIFICATIONS FOR THE BUSINESSRipon was ordered to pay the first $110,000 for free credit monitoring for all affected residents. The printer also was required to reprint/resend the booklets, create, print, and mail 2 separate letters to affected residents at a cost of at least $100,000. The printer will also indemnify the WDR against all lawsuits that come as a result of this mailing (this cost could be from $0 to millions).Question: How many businesses could handle paying over $200,000 for a mistake? The printer’s insurance most likely will not cover the costs, as a matter of fact, most renewal policies specifically exclude items such as these.LESSONS LEARNEDMany businesses are taking identity theft too lightly. According to CIO Magazine (5/15/2006), it takes on average 1,600 work hours to clean up a breach in a company’s security with a cost of up to $92,000 per victim. That’s a huge productivity drain, not to mention a financial drain as well.If the printer would have educated their employees on identity theft, how to protect both other employees’ and customers’ data, and had a procedure in place for securing data, then they might not have gotten into this mess in the first place. The printer would have spot-checked the address labels before mailing. If the employee had been trained, (s)he would have noticed an extra 9 digit number on the mailing label. With a little investigation, they would have figured out the error before sending the pieces out.The WDR should have NEVER sent a file containing non public information to the printer as the printer did not need that information (they won’t do it again). As a business owner/employee, NEVER ask for more information than you need. It’s just asking for trouble.Finally, make sure that you have non disclosure agreements with the companies you do business with if you provide them with any non public information (such as credit checks, financial information, personal health information, etc.).If you would like to read the original text from the WDR, here is the link:http://www.dor.state.wi.us/news/070126.pdf

Business Owners Risk Losing Their Businesses to Identity Theft

Note: This article appeared in the Business Ledger, a business paper published in Illinois, USA. The link is http://www.thebusinessledger.com/Articles.asp?artId=1498&isuID=91. 

 

If a business owner’s identity is stolen, they run the risk of not just losing their money or credit worthiness, but they might also lose their business.

According to The Institute of Fraud Risk Management, the average business startup loan is close to $300,000. Most loans are personally guaranteed by the owner of the new company. If it is a loan through the Small Business Administration, personal guarantees are required of every 20%+ owner and key management.

Most loan documents have two provisions that pack a one-two punch for business owners. The first states that if the lending bank “deems itself insecure,” the loan may be “accelerated” meaning the business has to come up with the cash. This combined with a “universal default” that states if a business owner/executive defaults on ANY account, personal or business, the bank can either accelerate the loan or raise the interest rate usually doubling or tripling the amount of interest paid. Most businesses cannot come up with the cash or handle the cost of financing a loan that has doubled or tripled in price.

Banks can invoke one of the clauses if a business owner or executive’s personal identity is stolen leading to an account in default or having more credit available than what the bank thinks necessary. Some banks won’t sit by and wait until an owner’s identity is restored, especially if the theft puts the business itself in jeopardy. One reason banks won’t wait is that, according to the latest estimates by the Federal Trade Commission, it could take upwards of 600 hours to clear a person’s name. If the theft involves criminal activity by the perpetrator, the victim may never clear it up the crime fully.

Business owners and executives need to protect their identities to minimize the possibility of identity theft happening. Here are some recommendations. First, review your credit reports at least annually. The new Fair and Accurate Credit Transactions Act (FACTA) allows everyone to receive one free credit report from each of the bureaus on an annual basis. Go to www.annualcreditreport.com to gain access to your credit report. One personal recommendation is to order one report every 4 months. Second, shred all mail and documents that have any identifying information: even if it is just a pre-approved offer from Netflix, preferably using a confetti cut shredder.

Third, owners should sign up for a credit monitoring service. The average monthly cost is between $11 – $25/month. This will give them an early warning if someone is tampering with their credit.

Overall, business owners and executives need to be vigilant with both their personal and business records. If they are not, then they are at risk of losing everything they have worked so hard to build.

Robert Slayton is a Certified Identity Theft Risk Management Consultant who consults with businesses and individuals on how to minimize their risk of identity theft and provides identity theft prevention and restoration services. For more information on his services or free information on how to minimize your risk of identity theft, contact him at Robert[at]robertslayton.com or phone 800-913-2378 or +1-630-779-1144 for international inquiries. Robert manages a full service insurance agency, Robert Slayton Associates out of
Naperville, Illinois.

©2007 Robert C Slayton

Identity Theft – How to minimize your and your company’s risk

Hello, my name is Robert Slayton. As part of my insurance practice, I consult with businesses and individuals on how to minimize their risk of identity theft. I help businesses of all sizes become compliant with new federal and state laws that target the protection of both employees’ and customers’ private information (Non Public Information – NPI).

 The vast majority of businesses don’t realize that they are at risk of federal fines up to $1,000,000 in some cases, civil fines, class action lawsuits with no statutory limitation, and even jail time for executives and owners if NPI is breached.

 This blog is designed to help educate both business owners, HR Executives, and even individual employees on how to mount an affirmative defense against identity theft and loss of NPI.

 DISCLAIMER: I am not an attorney and this advice should not be conceived as legal advice or binding in any way. Please consult with your own attorneys and consultants for specifics. If you do not have an attorney or consultant, we at Robert Slayton Associates can provide one for you.