Business Week reports that medical ID theft is on the rise. There were more than 275,000 cases of medical information theft in the U.S. last year, twice the number in 2008, according to Javelin Strategy & Research, a Pleasanton, California-based market research firm. The average fraud cost $12,100, Javelin said. Given that about 44 percent of U.S. doctors used some form of electronic records last year, according to the National Center for Health Statistics, such theft is not surprising.

Individuals are using stolen information to file false claims. Criminals also set up fake clinics to bill for phony treatments, according to Pam Dixon, founder of the World Privacy Forum, a non-profit consumer-research group based in San Diego, California, which has worked with more than 3,000 victims. Thieves also may impersonate a patient, like in Morgan’s case, and some medical workers download records to sell, she said.

The economic stimulus bill of 2009 includes $2 billion to create a national system of computerized health records and as much as $27 billion over 10 years in payments to Medicare and Medicaid providers who adopt the technology, according to the Department of Health and Human Services. The purpose of creating the digital files was to improve care and help lower costs, but digitizing these files makes the information more vulnerable to theft or hacking.

Insurers are working on improving technology to spot false claims, but better standards are needed. The government is considering new regulations to enhance privacy and security of health information, said David Blumenthal, national coordinator for Health Information Technology at the Health and Human Services Department. Precautions, such as adding photos to patient records are being adopted by by some medical facilities.

Given the mobility of the current population, it makes sense that a person’s medical records are available whether you are seeking treatment while living in Boston or need emergency care while vacationing in California. Efforts need to be made by the medical community to take all necessary safeguards to protect patient data and to ensure that the software used to store such sensitive patient information is as secure as possible.

To read more, please go to Business Week.

Humza Zaman, a co-conspirator in the hack of TJX and other companies, was sentenced Thursday in Boston to 46 months in prison and fined $75,000 for his role in the conspiracy. The sentence matches what prosecutors were seeking.

Zaman, a 33-year-old former network security manager at Barclays Bank, was charged with laundering between $600,000 and $800,000 for hacker Albert Gonzalez, who is currently awaiting sentencing on charges that he and others hacked into TJX, Office Max, Heartland Payment Systems and numerous other companies to steal data on more than 100 million credit and debit card accounts.

To read more, see the complete story on wired.com.

In one of the largest FTC-state coordinated settlements on record, LifeLock, Inc. has agreed to pay $11 million to the Federal Trade Commission and $1 million to a group of 35 state attorneys general to settle charges that the company used false claims to promote its identity theft protection services. LifeLock and its principals will also be barred from making deceptive claims and required to take more stringent measures to safeguard the personal information they collect from customers.

Since 2006, LifeLock’s ads have claimed that it could prevent identity theft for consumers willing to sign up for its $10-a-month service. The FTC’s complaint charged that the fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft. It also allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs. And even for types of identity theft for which fraud alerts are most effective, they do not provide absolute protection. They alert creditors opening new accounts to take reasonable measures to verify that the individual applying for credit actually is who he or she claims to be, but in some instances, identity thieves can thwart even reasonable precautions.

The FTC charged that LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

To read more about this settlement, view the FTC’s press release here. The FTC will use the $11 million it receives from the settlements to provide refunds to consumers. It will be sending letters to the current and former customers of LifeLock who may be eligible for refunds under the settlement, along with instructions for applying. Customers do not have to contact the FTC to be eligible for refunds. Up-to-date information about the redress program can be found at 202-326-3757 and here.