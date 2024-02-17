Frank Abagnale is world-famous for pretending to be other people. The former teenage con man, whose exploits 50 years ago became a Leonardo DiCaprio film called Catch Me If You Can, has built a lifelong career as a security consultant and advisor to the FBI and other law enforcement agencies. So it's perhaps ironic that four and a half years ago, his identity was stolen—along with those of 3.6 million other South Carolina taxpayers.

"When that occurred," Abagnale recounted to Ars, "I was at the FBI office in Phoenix. I got a call from [a reporter at] the local TV news station, who knew that my identity was stolen, and they wanted a comment. And I said, 'Before I make a comment, what did the State Tax Revenue Office say?' Well, they said they did nothing wrong. I said that would be absolutely literally impossible. All breaches happen because people make them happen, not because hackers do it. Every breach occurs because someone in that company did something they weren't supposed to do, or somebody in that company failed to do something they were supposed to do." As it turned out (as a Secret Service investigation determined), a government employee had taken home a laptop that shouldn't have left the office and connected it—unprotected—to the Internet.

Government breaches of personal information have become all too common, as demonstrated by the impact of the hacking of the Office of Management and Budget's personnel records two years ago. But another sort of organization is now in the crosshairs of criminals seeking identity data to sell to fraudsters: doctors' offices. Abagnale was in Orlando this week to speak to health IT professionals at the 2017 HIMSS Conference about the rising threat of identity theft through hacking medical records—a threat made possible largely because of the sometimes haphazard adoption of electronic medical records systems by health care providers

Abagnale warned that the value of a medical record to identity thieves far surpasses that of just a name, date of birth, and social security number. That's because it provides an even bigger window into an individual's life. Abagnale says the responses of organizations (including the state government of South Carolina and the OPM) to theft of sensitive personal information is far from adequate—and because there's no way to effectively change the data, it can be held for years by criminals and still be valuable.

[...] Abagnale said that there's been a surge in the past few years in medical identity theft. "It's as simple as, I'm in Orlando and I break my leg, I have no insurance, and I go to the hospital and say I'm you," he explained. "I give them your information, they treat me, they bill your insurance agency, and then your insurance company eventually notifies you because there was a deductible. And you say, 'wait a minute, I was never in Orlando, I never broke my leg.' But it's not that simple—trying to get that fixed, and trying to get it off your medical records, and then having collection agencies hounding you for that money is just unbelievable."

Such a scenario is just the beginning of what's possible with the theft of medical data today. "Like every form of identity theft, if I can become you," said Abagnale, "what I can do as you is only limited by my imagination."