Unusual Breach Report by Humana Shines Light on Fraud Prevention
Use of Analytics Apparently Helped to Prevent Fraud, Warn Victims
An unusual breach notification issued by health insurer Humana shows how some organizations are identifying anomalous behaviors of voice technology users to detect potential fraud.
In a May 21 data breach notification from Humana posted on the Vermont Attorney General's website, the health insurer says it recently received an unspecified number of calls to its automated, toll-free "interactive voice response" telephone system that the company's technology team deemed suspicious.
In each case, the callers identified themselves with three types of information - date of birth, ZIP code, and Humana identification number or Social Security number. "With these particular calls, the caller successfully identified themselves but did not speak with a Humana representative or continue with activity within the automated call system," the notice says.
"Based on this, we believe it is possible that someone may be trying to use your information in an inappropriate manner," the statement says. "At this time, no inappropriate action was taken within Humana systems using the information; however we felt it was our responsibility to make you aware that the incident occurred."
Humana adds that it has "blocked" the incoming phone numbers that were generating the suspicious activity, and it is continuing to monitor the interactive voice response telephone system "for similar patterns under new inbound telephone numbers."
In a statement provided to Information Security Media Group, a Humana spokeswoman says the company's initial analyses, and its continuous, ongoing monitoring activities, indicate that fewer than 200 members were impacted in the incident.
"The abnormal activity was first identified as an anomaly in our interactive voice response reporting tools. It was noted that an abnormally high abandon rate was being observed from a small number of telephone exchanges," she says. "All evidence in this particular incident indicates that the abnormal activity was benign."
Report to State
Ryan Kriger, Vermont's assistant attorney general, tells ISMG that Humana reported to the state that 11 Vermont residents were affected by the recent incident.
He adds that it's not clear if the incident reported by Humana involving callers who might have been trying to confirm the personally identifiable information of other individuals qualifies as a data breach.
Nonetheless, the circumstances of the data breach report from Humana are unusual, he acknowledges. If the calls involved stolen IDs of Humana plan members, it's possible that information was mined in other data breaches, he says. Those potential incidents might have involved data stolen from Humana or other breached entities or purchased on the dark web.
Nonetheless, "it's good that the company is trying to do something" to potentially prevent stolen identities from being used for fraudulent activities, Kriger adds.
The Department of Health and Human Services' HIPAA Breach Reporting Tool website, commonly called the "wall of shame", lists five breaches reported by Humana since 2014. The most recent breaches were an "unauthorized access/disclosure incident reported in November 2017 affecting 5,764 individuals and a hacking/IT incident reported in April 2017 impacting 3,831 individuals.
Regulatory attorney Marti Arvin of the security consultancy CynergisTek notes that the personal information verified via the automatic phone calls to Humana could potentially be used for medical or financial identify theft.
"This could be a bad actor that wishes to commit healthcare fraud and wanted to validate that the insured information was good before submitting bogus claims," she says.
"I would expect that Humana tracks its call volumes, dropped calls, etc. for its own customer service and other purposes. Inherent in the system would be alerts to identify just the sort of actions that appear to have occurred here," she says.
"They would expect someone calling their automated line for a legitimate purpose to go beyond simply inputting the verification information. While that may happen occasionally, this activity likely breached a threshold they had set in the system thus triggering an alert."
Other health insurers are deploying behavioral analytics to fight fraud.
For example, Jim Routh, chief security officer at health insurer Aetna, says his company is using behavioral analytics to help detect potential fraud involving voice-related technologies.
"We are seeing an increase in voice fraud, most of which targets consumers, and we have taken proactive steps to protect consumers," he says.
"We are using continuous behavioral based voice authentication system in a testing mode. It identifies callers into our call centers and prevents fraudulent calls while improving the consumer experience. We anticipate implementing this for all consumers by the end of the year."
Aetna has shared information about its efforts with other health insurers through the National Health Information Sharing and Analysis Center, Routh notes.
More to Come?
So will breach notifications involving circumstances similar to the Humana incident become more common?
"I cannot say if it is specifically becoming a common practice, but it is possible an insurance company may fall under the Red Flag Rules that came about as a result of the Fair and Accurate Credit Transactions Act - FACTA - of 2003, which would mean they are required to proactively look for red flags that might indicate identity theft," Arvin says.
"One requirement is to help mitigate ID theft and one way to do that is to notify the consumer," she says. "While notification is not required, it is suggested. Humana may also simply be doing this as a good business practice because a beneficiary is subject to medical identify theft or the information is used to file fraudulent claims that would cost Humana money. "