PORTLAND, OR – Security and privacy expert Chris Apgar says the Health Insurance Portability and Accountability Act doesn’t have what it takes to enforce the regulations to prevent medical identity theft.

In 2005, leukemia patient Eric Drew’s identity was stolen by a lab technician at the hospital where he was being treated, making headlines. Lab technician Richard Gibson was part of the team that Drew relied on for treatment. But it turned out that Gibson was the very person that posed a threat.

A recent Research Concepts survey reveals that 72 percent of IT asset managers believe their own employees – those with access to encryption keys and passwords –were responsible for the most incidents of data breach in their organization.

Drew’s case became the first successful conviction under HIPAA, setting a precedent it seemed for more cases to follow.

Javelin Strategy and Research released a survey last month on identity fraud. Rachel Kim, an associate analyst at the firm, says that unauthorized access of health records could fall under two categories, that of “data breaches” representing 7 percent of identity theft resulting in fraud and “other” which accounts for 2 percent. She says their studies,  “year over year shows that the majority of identity theft occurs through traditional methods and channels – like a lost wallet or checkbook as well as through individuals that are close to the victim.”