Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/14/2017
10:00 AM
Vitali Kremez
Vitali Kremez
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
100%
0%

Health Savings Account Fraud: The Rapidly Growing Threat

As income tax season comes to a close, financially-motivated cybercriminals are honing new tactics for monetizing medical PII.

While information security and anti-fraud teams remain on high-alert for potential indicators of income tax fraud, given the rapidly approaching April 18th filing deadline, a lesser-known yet serious threat with ties to both income tax fraud and 2016’s healthcare breaches continues to emerge: health savings account (HSA) fraud.

HSA fraud in and of itself is nothing new, but the threat has evolved substantially in credibility, complexity, and frequency since 2016. More specifically, the unprecedented surplus of stolen medical records currently offered for sale on Deep & Dark Web marketplaces has created financial difficulties for many cybercriminals who have traditionally relied on the profits generated from selling medical personal identifiable information or PII.

Threat actors who purchase so-called "fullz" or full listings of PII, typically utilize this data to commit various types of fraud. However, as demand for bulk medical fullz is not rising in tandem with the increased availability and declining sale prices of such information, many cybercriminals have sought out different ways of identifying the most valuable records for use in more profitable fraudulent activities such as HSA fraud.

This renewed interest in HSA fraud first emerged around September 2016, when one of the most prolific actors attacking healthcare institutions, known as "cr00k," suggested using stolen healthcare information to target valuable HSAs. Such attacks soon grew into an emerging trend among various low-tier cybercriminals in possession of medical PII. In order to identify higher-value HSA accounts, cybercriminals typically utilize various free credit reporting and financial management platforms to access victims’ credit scores and gauge their financial status.

To create or look up accounts on these types of platforms, cybercriminals must be in possession of the victim’s fullz, obtained from compromised healthcare institutions. Some cybercriminals use this information to target valuable HSAs directly whereas others may sell victims’ credit reports packaged with their medical fullz for substantially higher prices. cr00K in particular has been known to sell such information for HSA fraud for as high as $80-$100 per account record; accounts with higher credit scores tend to fetch higher prices, and vice versa.

In addition to the widespread availability of medical fullz on the Deep and Dark Web, the current composition of the US health insurance landscape may also be another factor contributing to cybercriminals’ renewed interest in HSA fraud. As health insurance costs continue to rise, more individuals are opting to purchase high-deductible health insurance plans, which tend to have less expensive monthly premiums.

HSAs are only available for individuals covered by high-deductible insurance plans, so as these plans become more popular, HSAs also become more popular. Recent estimates suggest that there are over 20 million existing HSA accounts that hold nearly $37 billion in assets, which represents a year-over-year increase of 22% for HSA assets and 20% for accounts. These figures raise concerns over the potentially larger population of individuals susceptible to HSA fraud, which remains more difficult for both victims and financial institutions to detect and mitigate for three reasons:

  • Access to victims’ fullz -- which typically include their social security numbers and mothers’ maiden names -- can enable fraudsters to change HSA account passwords, gain illicit access to funds, and transfer them from the account. To further evade detection and bypass financial institutions’ anti-fraud measures, some fraudsters even transfer HSA funds onto prepaid cards opened in the victim’s name.
  • Unlike other types of tax-free health-related accounts, HSA funds roll over from year to year, earn interest, and don’t expire. As such, many individuals treat HSAs like normal savings accounts and may not check their account balances routinely, if ever. In fact, numerous reports have surfaced from individuals who were not aware that their HSA accounts had been compromised until months later.
  • Not only does late detection of HSA fraud make it more difficult for financial institutions to investigate incidents and bring wrongdoers to justice, but a U.S. federal law holds financial institutions liable for lost funds only if the account holder reports the incident within 60 days of its occurrence.

Unfortunately for victims of HSA fraud, the abuse of their medical PII may continue to persist as financially motivated cybercriminals come to recognize that individuals with valuable HSAs may also be lucrative targets for income tax fraud. And while the IRS has strengthened anti-fraud measures in anticipation of increased levels of income tax fraud, cybercriminals with access to individuals’ medical fullz and credit reports can often leverage such information to bypass these measures.

For example, while the IRS has recently implemented a PIN system to reduce instances of identity theft and fraud, cybercriminals who have previously gained access to victims’ email accounts can reset and/or retrieve victims’ PINs via their emails. As an additional measure, the IRS also includes security questions such as "What is your mother’s maiden name?" which, again, may be easy for cybercriminals with access to victims’ medical fullz to answer and bypass.

The most effective way to avoid becoming a victim of HSA, tax, and other types of fraud is to prevent your PII from becoming compromised in the first place. However, we all know that this is far easier said than done. The reality is, the string of large-scale data breaches that struck the healthcare and other sectors in recent years has already inundated the Deep and Dark Web with millions of PII records, which means that many of us have already had our PII compromised in some capacity — whether we know about it or not. The best course of action to detect and mitigate any instances of fraud is to closely monitor the balances and activity within all our personal and financial accounts, including HSAs, bank accounts, credit reports, and tax returns. While it may be nearly impossible to prevent all instances of fraud, swiftly detecting and reporting potential indicators of compromise is integral to reducing the extent of any damages.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content: 

 

Vitali Kremez is director of research at Flashpoint. He specializes in researching and investigating complex cyberattacks, network intrusions, data breaches, and hacking incidents mainly emanating from the Eastern European cybercriminal ecosystem. He has earned the majority ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JulietteRizkallah
50%
50%
JulietteRizkallah,
User Rank: Ninja
4/17/2017 | 3:24:26 PM
When PII is compromised, Identity is Everything
Great article to show how hackers think ahead of us.  As we are preparing to submit - hopefully with increased security- our taxes tomorrow, hackers are already looking at more lucrative personal information.  The FSA are the next target and are not yet a commodity on the dark net based on the prices listed in this article. 

We just have to brace oursleves and be extra vigilent about giving away our PII to too many organizations out there who really do not need it. For example: registration for my son kindergarten next year required a copy of his SSN.  I refused to provide it to the school as there is absolutely no reason for them to store that data.  They were cool with my answer...So yes we need to be vigilant and learn to say "no, sorry. You have to prove me you need that information from me before i hand it to you."
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...