You can find almost anything on the Internet these days. The News4 I-Team discovered with just a few clicks and a couple hundred dollars anyone can even buy private medical details online that only you and your doctor should know.
“There are between one and two million Americans affected by medical identity theft each year,” Lisa Schifferle, with the Federal Trade Commission, told the News4 I-Team. “It can happen in all sorts of ways. There can be insiders that are paid to steal information from hospitals and nursing homes."
D.C. has had its share of breaches. In 2012, more than 66,000 people were put at risk after someone stole a Howard University Hospital contractor's laptop. In 2011, the company which provides healthcare for the military, Tricare, lost tapes containing private information of almost five million people.
A Howard University Hospital spokesperson said there’s no evidence that any private information on that stolen laptop was misused. After the incident, the hospital toughened up security procedures with encryption and more HIPPA retraining. Tricare said it could not comment on the case involving its lost tapes due to ongoing litigation.
So, where does the compromised information end up? According to the FTC, the information often goes overseas, sold for big bucks. “Some studies have indicated that on the black market, you can get more for medical information than you can for a social security number," Schifferle said.
Terry Martinez was shocked when the News4 I-Team showed up at his door with private information we found for sale online. “That's my social, date of birth, IP address. They got everything. My driver’s license number. They even got the term life insurance," said Martinez as he looked through what we found.
When the News4 I-Team asked him if he had ever checked to see if his medical records had been compromised, he told us, “No. I hardly ever even go to the doctor. Very seldom do I ever check that."
Martinez knew something was up, though, since he’s been fighting for the past year to get his identity back after discovering someone tried to file his taxes and emptied his bank account. But Martinez had no idea some of his medical information was floating around on the Internet, too.
He’s not alone. The News4 I-Team found private information for people all over the D.C. area, including physician contacts, insurance providers, whether people smoke and even the amounts of insulin doses administered each day.
The man who was selling the information agreed to talk via Skype from Costa Rica but would not show his face.
He said he got most of the current medical records from India, where call centers gather information by phishing over the phone. In those call centers, he said, “You're going to see people buying data, selling data, like it was candy at a store."
The seller also described how the operation worked when he, himself, was a telemarketer for an overseas company. He said callers would try to get missing private details from people over the phone. “They gave me a script that I had to read,” he said. Part of the script read, “’So, what is your name? What is the doctor's name?’ When we didn't even have the doctor's name on it,” he explained. “We were just saying that."
Those private details were then often sold to medical companies that targeted people with health conditions and charged insurance companies for services and supplies.
You can protect yourself. The FTC says everyone should check their credit report for unusual medical bills or charges. Ask your health insurance provider for a list of benefits in your name. And never provide medical information to a caller over the phone.
If you do find out you have been a victim, you should file a complaint with the FTC and police. Also, contact your medical providers.
The U.S. Department of Health and Human Services started tracking medical data security breaches affecting 500 or more people. To search breaches in your area, click here.