Threat Intelligence Blog

Posted September 30, 2013

The Affordable Care Act (“ACA”), often referred to as Obamacare, is ostensibly designed to make it easier for people to obtain affordable health insurance coverage and healthcare. Some provisions of the law are already in place, some will be soon, and one will take effect tomorrow. On October 1, 2013 open enrollment starts, enabling people to enroll in a Qualified Health Plan.

As security experts point out, ACA isn’t just any big tech project, and it is exceptional for the U.S. government. Along with expected technical glitches, criminals will no doubt find myriads of ways to take advantage of people when open enrollment starts, including phishing, identity theft and others. In fact, they already are.

ACA Fraud Already Underway

Many security experts are concerned that the ACA could lead to increased problems in medical identity theft, already a burgeoning problem. According to the latest report from respected security research firm Ponemon Institute, medical identity theft has seen a nearly 20 percent uptick in the number of victims just from last year alone. The survey shows how pervasive this crime is, with some 1.84 million people in the US affected by it. The total out-of-pocket costs are $12 billion, and rising. In addition to the monetary costs, victims of medical identity theft are also being misdiagnosed and being prescribed the wrong pharmaceuticals.

In order to help people figure out the complex system, the government is offering trained “Navigators” to provide free, in-person assistance to people trying to find and enroll in a health plan. This system presents a wide open door for criminals and fraudsters, however. The Federal Trade Commission has already logged more than 1,000 complaints of con artists calling senior citizens, pretending to be from Medicare and asking for sensitive personal information. The scam artists play into people’s fears of not being covered by the new ACA, and typically offer a new ID card in exchange for their Social Security, credit card, or bank information.

The Web as a Platform for Healthcare Fraud

In addition to social engineering tricks like these, regulators have shut down several misleading websites related to the new law. One website, for example, claimed to be the Pennsylvania Health Exchange, and featured an image of the state’s seal. After questions from state regulators and news organizations, the website went dark.

Cyveillance researchers have found more than 2,500 websites registered already which have “obamacare” in the domain name, and more than 300 which have “affordablecareact” in the domain name. Some, of course are fraudulent, or were very likely registered for phishing campaigns and other fraud.

Another issue is fundamental website security. According to TrendMicro’s survey of state and third-party sites, official sites aren’t required to use SSL to verify their identity. While the Federal site provides SSL for site verification, many others do not.

What can you do to help protect yourself, your organization and your employees?

Following these tips can help reduce your risks:

  • Don’t rely on search engines for recommendations on health exchanges, and be wary of any offers that sound too good to be true or that are not associated with official federal or state websites.
  • Be wary of websites which are not professionally designed or those which have numerous and glaring grammar, spelling and punctuation mistakes.
  • Check your state’s online portal for general information before speaking to anyone.
  • Ask Navigators how they were trained, and to provide proof. Ask questions, and meet in person if possible.
  • Ask why Navigators need certain information (if it goes beyond your age and state that you live in).
  • Navigators should not need information such as bank account numbers or credit card numbers. Do not give out this information.
  • Organizations concerned about their staff becoming prey to ACA scams and social engineering may wish to offer computer-based training to help their employees avoid becoming victims.
  • Legitimate organizations should monitor and take down rogue mobile applications and phishing websites that are using their good name and reputation to commit fraud or confuse consumers.

Playing into people’s fears of change, coupled with widespread confusion about the provisions of the ACA and expected security flaws, could mean a healthy payday for scam artists, social engineers, and other thieves.

Additional Posts

Nothing New Under the Sun: Hacktivists Exploited Tried and True Methods to Compromise Media Websites

A wise man once said, "There is there is nothing new under the sun." This has been proven true ...

Sophisticated DDoS Botnets Bypass Defenses

By Phil Annibale, Manager, Cyber Intelligence Division In their quest to maximize downtime and ...