OIG: Medicare exposed to financial losses from ID theft
Even the Centers for Medicare and Medicaid Services (CMS) are prone to security breaches and regulatory non-compliance, according to a recent report.
The report “CMS Response to Breaches and Medical Identity Theft,” issued by the Department of Health and Human Services’ (HHS) Office of Inspector General (OIG) on October 10, investigated CMS’ response to 14 security breaches occurring between September 23, 2009 and December 31, 2011. The medical identities of nearly 14,000 Medicare beneficiaries were stolen during this two-year period— significant when considering CMS’ responsibility to maintain the protected health information of millions of Medicare beneficiaries and their role in developing breach prevention regulations.
Report Finds CMS Negligent
CMS failed to meet several legal requirements of the American Recovery and Reinvestment Act, including steps that are meant to stop payment of patient services for stolen beneficiary IDs, according to the report. In addition to financial burdens, medical identity theft can also lead to patient safety risks such as the storing of incorrect health information from fraudulent users in the victim’s compromised record.
“If CMS does not follow the requirements [for] handling breaches, opportunities increase for medical identity theft and fraudulent billing of the Medicare program,” the report said. Responding to the report’s findings, CMS has promised to meet all American Recovery and Reinvestment Act requirements moving forward.
The report also found that CMS offered assistance to providers who were impacted by medical identity theft by helping with financial liability issues like overpayment demand and tax liabilities. In contrast, significantly less assistance was offered to beneficiary patients who were directly affected by the loss or theft of their data.
Report Calls for Breach Mitigation Improvements
The report recommends CMS make improvements to the current compromised medical identification numbers database that enhance its usability. Further, it recommends developing a method to ensure that Medicare beneficiaries who are victims of a security breach or medical identity theft can retain access to patient services with little or no interruption.
In the interest of service to beneficiaries and enhanced security for the future, the OIG report urges CMS to develop a method for reissuing identification numbers to those whose medical identities were stolen, and to ensure that those new IDs will not be tied directly to Social Security numbers.
CMS has stated that the organization will review options and estimates for identification number development processes that will not be based on Social Security numbers, according to the report. The full text of CMS’ comments are attached to the OIG report.