This is the third and final part of a three part series on Medical Identity Theft (MIT). Over the past two weeks we have defined MIT and outlined its various categories. We have also grasped that MIT is a cyber-crime that can kill you. Victims of MIT may receive the wrong medical treatment, discover their health insurance is exhausted or could become medically uninsurable. These are all serious consequences.
MIT is committed by various people. Just like other cyber-crimes, MIT is committed by Organized Crime. There are also the usual solo hackers. Other perpetrators can, surprisingly, be your own relatives and even medical staff for example doctors. “Bad apple” doctors have been known to rent their patients records to scammers.
Most people find out they are MIT victims through a myriad of ways. The most common one is receiving someone else’s bills. These bills are sent to you by your insurance provider. Another way is through demand notices from debt collectors or lawyers. If you receive demand notices from a hospital lawyer and you are sure you haven’t received the claimed medical services, then you are a victim of MIT. Indicators of MIT can also be found in your medical credit card reports and through notification by your insurance provider or law enforcement agency. You can also know you are a victim of MIT at the worst moment, when you are in a medical emergency and obvious discrepancies are discovered in your medical file.
How then can you protect yourself against MIT? You should review all medical bills, notices and statements very carefully. The statements we get from hospitals and health insurance providers usually run into many pages. Despite this you should go through them stringently.
It is obvious that Kenyans face serious challenges in grappling with MIT. There is no government agency dedicated to help victims of MIT. There are also no enforceable rights that demand medical institutions disclose to you your own records. Our nascent police cyber-crime unit has yet to come to grips with with this problem.
The obligation therefore rests with custodians of medical records in Kenya. Hospitals, clinics, medical insurance providers, employers and any other entity that generates, maintains or retains medical records should disclose data breaches immediately.
Individuals must be informed directly anytime their protected health information is inappropriately accessed. If individuals are not notified of a breach, then they may not know that their medical files may be altered by criminals in ways that may threaten their health, impact their insurability, or cause other harm.
Data breach notification is the only option currently available before the legislative framework on disclosure and freedom of information is developed and implemented.