While information security and anti-fraud teams remain on high-alert for potential indicators of income tax fraud, given the rapidly approaching April 18th filing deadline, a lesser-known yet serious threat with ties to both income tax fraud and 2016’s healthcare breaches continues to emerge: health savings account (HSA) fraud.
HSA fraud in and of itself is nothing new, but the threat has evolved substantially in credibility, complexity, and frequency since 2016. More specifically, the unprecedented surplus of stolen medical records currently offered for sale on Deep & Dark Web marketplaces has created financial difficulties for many cybercriminals who have traditionally relied on the profits generated from selling medical personal identifiable information or PII.
Threat actors who purchase so-called “fullz” or full listings of PII, typically utilize this data to commit various types of fraud. However, as demand for bulk medical fullz is not rising in tandem with the increased availability and declining sale prices of such information, many cybercriminals have sought out different ways of identifying the most valuable records for use in more profitable fraudulent activities such as HSA fraud.
This renewed interest in HSA fraud first emerged around September 2016, when one of the most prolific actors attacking healthcare institutions, known as “cr00k,” suggested using stolen healthcare information to target valuable HSAs. Such attacks soon grew into an emerging trend among various low-tier cybercriminals in possession of medical PII. In order to identify higher-value HSA accounts, cybercriminals typically utilize various free credit reporting and financial management platforms to access victims’ credit scores and gauge their financial status.
To create or look up accounts on these types of platforms, cybercriminals must be in possession of the victim’s fullz, obtained from compromised healthcare institutions. Some cybercriminals use this information to target valuable HSAs directly whereas others may sell victims’ credit reports packaged with their medical fullz for substantially higher prices. cr00K in particular has been known to sell such information for HSA fraud for as high as $80-$100 per account record; accounts with higher credit scores tend to fetch higher prices, and vice versa.
In addition to the widespread availability of medical fullz on the Deep and Dark Web, the current composition of the US health insurance landscape may also be another factor contributing to cybercriminals’ renewed interest in HSA fraud. As health insurance costs continue to rise, more individuals are opting to purchase high-deductible health insurance plans, which tend to have less expensive monthly premiums.
HSAs are only available for individuals covered by high-deductible insurance plans, so as these plans become more popular, HSAs also become more popular. Recent estimates suggest that there are over 20 million existing HSA accounts that hold nearly $37 billion in assets, which represents a year-over-year increase of 22% for HSA assets and 20% for accounts. These figures raise concerns over the potentially larger population of individuals susceptible to HSA fraud, which remains more difficult for both victims and financial institutions to detect and mitigate for three reasons:
• Access to victims’ fullz — which typically include their social security numbers and mothers’ maiden names — can enable fraudsters to change HSA account passwords, gain illicit access to funds, and transfer them from the account. To further evade detection and bypass financial institutions’ anti-fraud measures, some fraudsters even transfer HSA funds onto prepaid cards opened in the victim’s name.
• Unlike other types of tax-free health-related accounts, HSA funds roll over from year to year, earn interest, and don’t expire. As such, many individuals treat HSAs like normal savings accounts and may not check their account balances routinely, if ever. In fact, numerous reports have surfaced from individuals who were not aware that their HSA accounts had been compromised until months later.
• Not only does late detection of HSA fraud make it more difficult for financial institutions to investigate incidents and bring wrongdoers to justice, but a U.S. federal law holds financial institutions liable for lost funds only if the account holder reports the incident within 60 days of its occurrence.
Unfortunately for victims of HSA fraud, the abuse of their medical PII may continue to persist as financially motivated cybercriminals come to recognize that individuals with valuable HSAs may also be lucrative targets for income tax fraud. And while the IRS has strengthened anti-fraud measures in anticipation of increased levels of income tax fraud, cybercriminals with access to individuals’ medical fullz and credit reports can often leverage such information to bypass these measures.
For example, while the IRS has recently implemented a PIN system to reduce instances of identity theft and fraud, cybercriminals who have previously gained access to victims’ email accounts can reset and/or retrieve victims’ PINs via their emails. As an additional measure, the IRS also includes security questions such as “What is your mother’s maiden name?” which, again, may be easy for cybercriminals with access to victims’ medical fullz to answer and bypass.
The most effective way to avoid becoming a victim of HSA, tax, and other types of fraud is to prevent your PII from becoming compromised in the first place. However, we all know that this is far easier said than done. The reality is, the string of large-scale data breaches that struck the healthcare and other sectors in recent years has already inundated the Deep and Dark Web with millions of PII records, which means that many of us have already had our PII compromised in some capacity — whether we know about it or not. The best course of action to detect and mitigate any instances of fraud is to closely monitor the balances and activity within all our personal and financial accounts, including HSAs, bank accounts, credit reports, and tax returns. While it may be nearly impossible to prevent all instances of fraud, swiftly detecting and reporting potential indicators of compromise is integral to reducing the extent of any damages.