Identity Theft So, what you gonna do about it? Robert S. Brown UW Medical Center
The Law • RCW 9.35.020: No person may knowingly obtain, possess, use, or transfer a means of identification or financial information of another person, living or dead, with the intent to commit, or to aid or abet, any crime.
The Costs • $53 Billion per year nationwide • Loss of good will = loss of business?
The Methods • Phishing has replaced dumpster diving • Other methods include: • Shoulder Surfing • Skimming (data device on an ATM) • Social Engineering (think Mission: Impossible) • Mail Theft (old fashioned but it works) • Retail Theft (stealing, hacking, conning, bribing) • Plus a zillion other ways your data gets stolen
Two likely scenarios at UWMC 1. Care Recipient is an identity thief 2. Inside job (or hacker)
Care Recipient is an identity thief • Duty to notify the victim • Do not share PHI unless permitted by law • RCW 70.02.050 • HIPAA • Consider notifying law enforcement • Share handout explaining what you will do, what they can do (e.g. FTC’s excellent white paper) • http://www.consumer.gov/idtheft/
Care Recipient is an identity thief • Need to mitigate the damage • Amend medical records • Notify internal departments • Promptly investigate & notify the victim of your findings and actions taken to fix
Employee is the Identity Thief • Investigation policy? • Who is on point? • Who should you alert? • How will you summarize at conclusion? • Sanction policy? • Does it explicitly address ID theft? • Will the penalties meet the Seattle Times test?
Summary • Review the laws: • RCW 9.35 • HIPAA • RCW 70.02.050
Summary • Be proactive in protecting data • Be diligent about investigating • Create policies now
UW Medical Center • Rob Brown, Assistant Director of Compliance206.598.4342 firstname.lastname@example.org • Ellen Rubin, RN, Privacy Officer206.598.5701 email@example.com