Health Insurance Exchange & Online Safety

With the open enrollment period for Health Insurance Exchange websites right around the corner — October 1, 2013 — the Identity Theft Resource Center (ITRC) recently issued a scam alert warning consumers to be aware of fake databases.

Although these are government regulated websites, this is a legitimate concern.  The ITRC has been capturing information and releasing a weekly list of data breaches since 2005. According to our records, there have been at least 634 breaches that involve the government/military from 2005-2012.  These numbers illustrate that historically, government agencies are not immune. Hackers will spend their time and energy on the most attractive and lucrative targets.  The Health Insurance Exchange databases are certainly going to fall into that category.

The most frequently asked questions from consumers have been “are the databases safe?” and “is my information secure?”  Unfortunately, there is no quick and easy answer, as we have neither the access nor ability to review all of the details regarding the protocols in place.  Even if we did, making a definitive assessment would be very difficult.

It is the opinion of the ITRC that the only way to be 100% certain that the personally identifying information (PII) in a database will not be compromised, is to not collect it at all. Obviously this solution will not work in this case as PII is needed to issue the benefits. According to the Marketplace Application Checklist, enrollees will need to supply their Social Security number, employer, and income information for every member of the household who needs coverage (such as pay stubs or W-2s), and policy numbers for any current health insurance plans providing coverage to members of the household.

This information, if compromised, would prove to be very lucrative for an identity thief.  Not only would the SSN allow them to commit financial identity theft, but the current insurance plan information could allow thieves to commit medical identity theft as well.  This particular type of identity theft has grown by 25% in just the last year and affected 1.85 million consumers in 2012.  The economic impact was estimated at a staggering $41.3 billion dollars in the Third Annual Survey on Medical Identity Theft conducted by the Ponemon Institute.

It is crucial to practice online safety and security.  In short, effect what you can affect.  Practice online safety, keep an eye out for red flags that indicate your PII has been compromised, and take proactive measures to catch an issue as quickly as possible in order to mitigate the amount of damage an identity thief can do with the compromised information.

Online Safety Tips:

• Make certain you are using the legitimate website. Go to healthcare.gov to be routed to the appropriate exchange website.
• Access the exchange from a secure computer and connection.  Do not use a public Wi-Fi connection to access the exchange and enter your PII, UNLESS you have a personal VPN.  This will protect your information from prying eyes just waiting to pilfer it in a public space.

Proactive Steps:

• Check your credit reports regularly.  You can order one free report from each of the three credit reporting agencies per year at www.annualcreditreport.com.
• If you are paying for any identity-theft products or services (such as credit monitoring), make sure you are taking advantage of all they can offer.  Understand what the service can and can’t do for you and don’t be lulled into a false sense of security. Having this kind of service can be a strong step in the right direction but it is not a panacea.

Red Flags & Next Steps:

• If you discover anomalies on your credit report – such as new accounts that you weren’t aware of or accounts with higher balances than you were aware of – contact the credit reporting agencies and inform them.
• If you stop receiving regular statements in the mail or by email, such as bank statements, explanation of benefits from your insurance company, credit card bills, etc., follow up with the entities that issue the statements to ensure that a change of address or email address hasn’t been sent to the companies unbeknownst to you.
• If you receive bills for products and services that you did not purchase, new credit cards that you did not apply for, or collection notices/calls, notify the issuers/merchants as well as the credit reporting agencies.

If you are contacted either via telephone or email from someone purporting to be from the exchange, follow up directly with the exchange.  According to healthcare.gov, consumers are warned to NOT give out any PII to companies that they did not directly contact or in response to unsolicited advertisements.

The ITRC must reiterate that consumers should be cautious about releasing their PII and should be aware of best practices when it comes to online safety.   If in doubt, contact the exchange directly; do not call the phone number on the solicitation or click on any hyperlinks.  Visit the official Health Care Exchange website at www.healthcare.gov or call toll-free, 1-800-318-2596, to verify the legitimacy of any communication.

For more tips on how to protect yourself from fraud, visit the health exchange article on the subject.