Despite the fact that we are constantly bombarded with reports of breaches, there are even more breaches that seem to escape media coverage. I’ve been wondering about whether something I noticed recently might be something that will be used to fuel an insurance fraud operation.
My curiosity was triggered when I read a notification from Aetna. The insurer’s report described an incident at Availity, LLC, a clearinghouse.
According to Availity, it
operates the largest real time information network in healthcare, connecting over a million providers, health plans and their technology partners.
According to Aetna’s report, Availity had first notified them on November 10, 2018 that on November 2, they had discovered that some threat actor(s) had been authenticating as providers to fraudulently access information on insured members’ eligibility and benefits. On December 3, 2018, Availity reportedly provided Aetna with an update that indicated that the fraudulent activity had occurred between May 25, 2017 and November 3, 2018.
By using the Availity portal, the unauthorized individuals would have been able to access names, addresses, dates of birth, name of primary care providers, health insurance member ID numbers, and information regarding health insurance eligibility and benefits.
When it discovered what was happening, Availity terminated the fraudulent accounts, prohibited access to the portal by all users associated with the fraudulent accounts, implemented additional security measures, and reported the matter to the FBI.
For its part, Aetna notified 114 of its members whose information had been accessed, but Aetna also informed this site last week that it is still investigating to see if more members need to be notified.
As of today, Availity’s provider registration portal is still under revision, it seems.
After finding Aetna’s breach notification, and not getting any substantive answers from Availity, I started searching. I’ve since found a similar report filed in January by UnitedHealthcare, who reported to the Maryland Attorney General’s office that Availity had informed them that 41 of their Maryland members’ information had been accessed between July 7, 2017 and March 27, 2018 by fraudulently created provider accounts. The number of non-Maryland members who may also have been affected was not disclosed.
I also found a similar notification from a third insurer, Humana. They reported that they were told that on February 14, 2019, Availity had first discovered suspicious activity affecting their members, and that investigation subsequently revealed that improper access had occurred between January 15, 2016 and February 21, 2018. The number of affected Humana members was not disclosed.
It’s clear from the three insurers’ reports that criminal activity may have been occurring for years but had gone undetected until later in 2018. But how many more insurers had members’ information accessed by the attackers? DataBreaches.net does not know with certainty because Availity would not answer questions, claiming that they couldn’t answer questions about a situation that’s a law enforcement investigation, but a source with knowledge of the investigation informed DataBreaches.net that they believe Availity notified 22 insurers whose members’s information had been accessed by the attackers.
The only helpful detail Availity provided was:
While the investigation is still ongoing, it appears that the fraudulent users conducted non-financial transactions on the portal using certain personal information they already possessed. We have no reason to believe this information was obtained from Availity.
So all I have in hand are three reports from insurers, and a source who says that 22 insurers were notified. But here are a few questions to think about:
Was the Availity attack related to an incident last year where attackers authenticated as insurance agents or brokers to acquire personal information on 75,000 individuals seeking health insurance on Healthcare.gov? (Make that 93,600).
What happened to these people’s information and to the information acquired in the Availity incident? Has it shown up anywhere for sale? Is it being used for insurance fraud? Is it being hoarded for future use?
Maybe it’s time for us all to be more concerned than relieved when a breached entity tells us that there’s no evidence that our stolen ePHI has been misused. Rather than breathing a sigh of relief, maybe we should be wondering what it’s being saved for.