According to a Javelin Strategy & Research study, the incidence of identity theft jumped sharply in 2008, up 22% from the prior year. Over 9.9 million Americans fell victim to criminals who used their identifying information to borrow money, empty bank accounts, and other modes of financial impersonation. This is unsurprising news given the current state of our economy: experts predict a sharp rise in cybercrime in 2009 as financial gain from stealing data is increasingly more attractive in times of economic crisis. And if the economic downturn isn’t enough incentive, the difficulty and low incentives to catch identity thieves certainly suggests to criminals that identity theft’s benefits exceed its costs.
The surge in identity theft, and cyber crime more generally, should have us tread carefully as we move forward in digitizing health records. Electronic health records systems run a number of privacy risks and medical identity theft is surely one of them. As our unemployment rates continue to rise, so, too, will the number of uninsured Americans. In turn, we will no doubt see a continued increase in medical identity theft as people who do not qualify for coverage under Medicaid or Medicare will still need surgeries and prescription drugs. Moreover, as the ACLU recently wrote to Congress, employers who obtain medical records inappropriately might reject a job candidate who appears expensive to insure. Data brokers might buy medical and pharmaceutical records and sell them to marketers. And unscrupulous employees might snoop on the health of their colleagues. Protecting the privacy of patients is a tough, but not impossible, task. Effective solutions (which I will blog about in upcoming posts) must enlist law, technology, and social norms to protect individuals from the host of privacy problems that e-health records systems raises.