Identity Theft by 575zVr97


									   Identity Theft

                   So, what you gonna do
                   about it?

                                  Robert S. Brown
October 18, 2005                UW Medical Center
The Law

   RCW 9.35.020: No person may knowingly
    obtain, possess, use, or transfer a means of
    identification or financial information of
    another person, living or dead, with the intent
    to commit, or to aid or abet, any crime.
The Costs

   $53 Billion per year nationwide
   Loss of good will = loss of business?
The Methods

   Phishing has replaced dumpster diving
   Other methods include:
    –   Shoulder Surfing
    –   Skimming (data device on an ATM)
    –   Social Engineering (think Mission: Impossible)
    –   Mail Theft (old fashioned but it works)
    –   Retail Theft (stealing, hacking, conning, bribing)
    –   Plus a zillion other ways your data gets stolen
Two likely scenarios at UWMC

1. Care Recipient is an identity thief
2. Inside job (or hacker)
Care Recipient is an identity thief

   Duty to notify the victim
    –   Do not share PHI unless permitted by law
            RCW 70.02.050
            HIPAA
    –   Consider notifying law enforcement
    –   Share handout explaining what you will do, what
        they can do (e.g. FTC’s excellent white paper)
Care Recipient is an identity thief

   Need to mitigate the damage
    –   Amend medical records
    –   Notify internal departments
    –   Promptly investigate & notify the victim of your
        findings and actions taken to fix
Employee is the Identity Thief

   Investigation policy?
    –   Who is on point?
    –   Who should you alert?
    –   How will you summarize at conclusion?
   Sanction policy?
    –   Does it explicitly address ID theft?
    –   Will the penalties meet the Seattle Times test?

   Review the laws:
    –   RCW 9.35
    –   HIPAA
    –   RCW 70.02.050

   Be proactive in protecting data
   Be diligent about investigating
   Create policies now
UW Medical Center

   Rob Brown, Assistant Director of Compliance

   Ellen Rubin, RN, Privacy Officer

To top