In the United States on October 1, 2013 a major provision of the Affordable Care Act (also popularly known as “Obamacare”) goes into effect. The Health Insurance Exchange will go live. These sites are where people will be able to sign up for health care coverage themselves rather than through their employer. One way people will be able to sign up for coverage after October 1 is online. But because of the way this online registration will work and the type of information people will have to enter to get health care coverage, there’s a real risk of a perfect storm that can make this process a bonanza for identity thieves and cybercriminals. This could be the most significant new area for phishing and identity theft in the next year in the United States. It also can give established healthcare scammers a new field to look for victims.
The root problem is that the Health Insurance Exchange isn’t made up of a single, authoritative site where people can go and register for coverage. In addition to the Federal site, people can apply for coverage at sites run by individual states. Then, within each state, there can also be legitimate third-party sites that provide assistance and even broker coverage.
When a person starts looking through sites to find one, at this time, they’re faced with the challenge that there’s no official marking or labeling that they can look at on a site to know that it’s an officially sanctioned site. A survey of state and third-party sites also shows that official sites aren’t required to provide the ability to verify the site using SSL: many of them don’t provide it for site verification at all, though the Federal site does. As people look for health care exchanges, they’re going to be faced with potentially hundreds or thousands of sites that claim to be legitimate but won’t be able to easily verify that claim.
The next problem is that when applying for health care coverage, you have to provide all of your most sensitive personal information not only for yourself but your entire family. Most of us won’t give our social security numbers out willingly. But when it comes to health care, the industry uses that information so regularly that we’ve come to accept handing that information over as a matter of course (even if we don’t like it).
Put these two things together and you’ve got a situation where people are primed to give away their most critical personal information to legitimate sites but can’t be sure of finding their way to those legitimate sites.
This is a perfect environment for identity thieves and other criminals to put together bogus sites to get personal information they can use or sell on the digital underground. And this situation also provides an opportunity for old fashioned healthcare scammers to offer bogus coverage and fraudulent billing scams to more unsuspecting people.
There are ways to try and protect yourself from people trying to take advantage of this situation. First, absolutely do not use a search engine as your starting point when looking for coverage. Instead, you should start your search at a known, trusted source: the Federal Government’s or your state government’s sites. Use these sites to identify the resources they’ve identified as trustworthy. With that information you can then get more information by going to the sites they recommend (by typing the URL in yourself), calling the numbers listed or even visiting in person. If you do choose to register online, web reputation services that can be found in products like our Titanium can provide an extra degree of protection from known scam sites.
The Health Insurance Exchange is a huge change for the United States.And in the midst of change there’s always confusion. Confusion creates the sort of opportunities that criminals capitalize on. Hopefully in time, this process will become more mature and have better controls to prevent bogus, scam sites. But until then, you have to take time to be extra careful because this will be a great way for criminals to easily get critical personal information they can use maliciously.
Updated to correct Healthcare Exchange terminology based on reader feedback.
