Malicious email from scamsters pretending to be health insurers is on the rise.
FORTUNE — If you’re in compliance with the law commonly known as Obamacare, you’ve probably signed up for health insurance by now. While that coverage is meant to protect you physically as well as financially — by shielding patients from exorbitant medical bills, not to mention the Affordable Care Act’s tax penalty for going uninsured — you just became a lot more vulnerable to cyber-attackers and identity thieves.
Government regulators and cybersecurity experts have noticed a sharp rise in recent months of Internet attacks using the health care law and new insurance plans to go after more consumers. (More than 7 million Americans had enrolled in private health plans on the law’s online marketplaces by the March 31 deadline, the Obama administration announced last week.) Meanwhile, a major security flaw in software used across the Internet, known as “Heartbleed,” was revealed this week, though it’s still unclear whether it led to any leaks in consumer health data. (Officials for Healthcare.gov, the federal insurance marketplace, have said that site was unaffected).
Email security firm Agari, for one, has observed a large and increasing amount of malicious emails masquerading as legitimate messages from health insurers. The emails appear to be sent from the company, and may even co-opt its logos and branding, but are actually designed by cyber-attackers to lure consumers into falling for the ruse. Indeed, Agari found that in 2013, consumers were five times more likely to receive a compromised message from their health care provider’s domain (email@example.com, for example), than from banks, retailers, airlines, social media companies, and every other industry it analyzed. One in every 10 emails that appears to come from a health care company is “spoofed,” says Agari CEO Patrick Peterson.
The Federal Trade Commission, meanwhile, started warning consumers as early as last May — months before the health care exchanges even opened — to be wary of Obamacare-related emails that could be an attempt to trick consumers into forking over sensitive data or cash. In late January, the FTC announced that it had caught its first Obamacare fraudster: It is suing the president of Kobeni Inc., “one of the world’s reputedly biggest spammers,” for sending thousands of spam emails warning consumers that they had to choose health insurance right away by clicking on a link, or else face penalties.
Consumer watchdogs had a feeling that the phishing scams would follow the rollout of the ACA, having seen the same pattern with Medicare fraud for many years. But while retired seniors are often unwitting targets of con artists, experts say the frenzied controversy surrounding Obamacare, combined with rampant misinformation and fear — plus the practical fact that the new health plans are purchased online — has created a perfect environment for cybercriminals to attack swaths of otherwise sophisticated, educated Americans. After all, people who bought insurance on the new exchanges received confirmation and other notifications via email, just like with other electronic purchases. Add to that the technological woes of the online insurance marketplaces, including Healthcare.gov, and consumers may be even more likely to click emails purporting to be important messages about their account, or a necessary step to complete their enrollment.
“We saw a lot of this spike in the fourth-quarter time frame [of 2013] because of that whole rigmarole,” Peterson says. The fake emails alerted consumers that their Obamacare application had been rejected, that the website was back online, or that they should visit an alternative site or call a certain phone number instead. Often, following the instructions invited the criminals to plant bugs on consumers’ computers, which they could use to glean payment information, health insurance credentials, or other personal information for all-out insurance fraud and identity theft.
According to a recent report by Dell’s information security unit, SecureWorks, health insurance credentials, including names and plan information, go for $20 each on the black market; supplementary dental, vision, and chiropractic were each worth an extra $20. But when those credentials are bundled with social security numbers, bank account and credit card information, online logins, and more, they could fetch between $500 and $1,300 for just one person’s data.
More troubling, about a third of the scam messages are composed by extremely clever criminals that “do their homework,” Peterson says, specifically targeting customers with messages that truly seem meant for them. For example, when one carrier raised insurance rates in California, some of its customers may have received emails purporting to be from the company offering ways to save.
Much of the problem, adds Peterson, is that the health insurance carriers lag other industries in implementing email security measures that would prevent criminals from hijacking their addresses to take advantage of consumers. The study labeled a dozen major insurers “easy targets,” including United Healthcare UNH , Anthem Blue Cross, Humana HUM , and WellPoint WLP . “What we learned from health care is ‘yikes.’ Our first reaction was there must be something wrong with the data,” Peterson says. “Where they are in terms of protecting their patients, and where the criminals are in terms of wanting to go after their customers, it’s quite scary.”
Sure, it’s easy for an email security firm to shake its finger at companies it might like to have as clients. But Agari also highlighted Aetna AET as one bright spot among its peers, since it has taken steps to keep impostors from sending email from its domain. And Peterson’s main advice for insurers, along with other businesses, is not buying a product, but to join the honor roll of major companies that have recently formed a collaborative alliance called DMARC (Domain-based Message Authentication, Reporting & Conformance).
The organization’s members include big brands that spammers frequently imitate, like Bank of America, Fidelity, and LinkedIn, as well as the email platforms themselves including Gmail, Yahoo, and AOL, that must determine whether messages are safe for the inbox or relegated to junk folders. Together, they’ve developed a method for determining senders’ legitimacy and screening out fraudulent messages across the web: Microsoft says that DMARC cut phishing messages in Outlook by 50% last year. “If someone purports to be Kaiser or Aetna, and it’s really from a bad guy, it actually rejects that and doesn’t let consumers see it,” Peterson says. Yet so far, none of the health insurers have joined in, he adds.
Neither Humana nor United Healthcare would comment, but WellPoint, which operates Anthem and other Blue Cross and Blue Shield plans, provided some insight. “We know that there is fraud activity and that our plan members have been targeted,” says Alanna Lavelle, the company’s director of enterprise investigations. While the scammers have primarily used the phone, rather than phishing emails, WellPoint’s chief information security officer Roy Mellinger says the company swaps notes with other health care organizations on any breaches and potential threats in the industry, and continuously updates its own security systems.
Yesterday, a handful of government agencies took up the cause, too, enjoining businesses to work together and with the authorities to stop cybercrime. The U.S. Department of Justice, in conjunction with the FTC, issued a policy statement encouraging private entities to defend against attacks “by sharing technical cyber threat information — such as threat signatures, indicators, and alerts — with each other,” and assuring them that such collaboration would not raise antitrust concerns. In a separate announcement, the Federal Deposit Insurance Corporation (FDIC) urged financial institutions to use resources including the FBI’s InfraGard, a shared forum between the FBI and private sector, and the Department of Homeland Security’s Computer Emergency Readiness Team.
Consumers, of course, should take an extra dose of caution when logging into their inbox — as insurers might say, it’s part of a healthy lifestyle and preventive care.