HSA Cybersecurity: A Threat That is Growing

Health savings account (HSA) holders are encouraged to save the money in their accounts for long-term health care expenses, but the less they use their accounts, the greater the risk for fraud and identity theft.

The number of health savings accounts (HSAs) grew to 25 million in 2018, with an estimated $53.8 billion in assets, according to Devenir, a provider of investment solutions for HSAs.  But since 2018, HSA card usage is down.


These consumers are not leaving the marketplace, instead they are using their account funds for bigger expenses—the way the accounts were intended to be used, according to information presented by the cybersecurity group at the 2019 Alegeus Client Conference in early May.


Increasingly, consumers are more educated on the fact that they can, and should, save their money. Rather than using their HSA funds for everyday expenses, they are saving these funds for long-term needs, such as a hospitalization or health care in retirement. The 2018 Alegeus HSA Participant Profile Report indicates that HSA participants are more fluent, engaged and savvier consumers compared than those in traditional plans. High-deductible health plan (HDHP)/HSA participants are 80% more likely to be saving for long-term health care costs.


However, this means there are more funds in HSAs that are subject to theft by unauthorized users, if they get into these accounts.


A consequence of participants not often swiping their cards may mean that they aren’t monitoring their accounts enough. Too often, participants assume that because money from their paycheck is going into the account each month, it is protected and secure for future use. While these contributed funds are great from the perspective of account growth, it also means there is more money for fraudsters to take.


Consumers may think such risk is only applicable to typical credit cards but this is now in the consumer-driven healthcare (CDH) space and includes HSAs and flexible spending accounts (FSAs)—all because of card usage and technology.


Successful credit card fraud attempts have increased 49% since 2016 according to the LexisNexis Risk Solution, 2018 True Cost of Fraud Study.


Fraud Trends


At the outset of HSAs becoming widely available, carbon swipe cards were furnished by providers, and participants were excited to have them. Participants used their cards to pay eligible expenses using their account.


Today, with more advanced technology present the trend has moved towards not having cards present for a purchase at all. Participants are purchasing HSA eligible products digitally using sites such as Amazon, Walmart and Target. According to the U.S. Department of Commerce, in 2018 e-Commerce sales increased by approximately 15% from 2017.


While e-Commerce describes electronic activity on your computer, m-Commerce is about paying bills on mobile devices, which has become riskier lately. Merchants want to follow this innovative market landscape, maintain customer retention, and grow revenue. m-Commerce has doubled since 2016 for mid-size and large merchants, according to the LexisNexis study.


But cardholders/account holders that interact with e-Commerce or m-Commerce merchants hold a higher risk of identity theft than their counterparts—from bot attacks, for instance.


A bot, (short for robot), is a type of software application or script that performs automated tasks on command. Bad bots perform malicious tasks that allow an attacker to remotely take control over an affected computer. A bot attack forces a real user out of a merchant’s space to steal real information for malicious reasons.


An Account Takeover (AT) is when a fraudster takes control of an HSA. Identity theft—the fraudulent use of a real individual’s identification—and breaches are scary not only due to the amount of risk associated with it, but the latest type of breach involves a fraudster gaining access to your account and creating a new one.


When a fraudster uses real and fake identification from a bot attack to create a completely new identity, it’s called a synthetic identity. Fraudsters use your ”Fullz”—a slang term used by credit card hackers and data resellers meaning “full packages of individuals’ identifying information.” Fullz usually contain an individual’s name, Social Security number, birth date, account numbers and other data. Fullz are sold to identity thieves who use them in credit fraud schemes. These accounts are also referred to as New Account Fraud (NAF).


According to the 2019 Javelin Identity Fraud Study, losses for NAF’s increased from $3 billion in 2017 to $3.4 billion in 2018.


Cardholder and account holders that interact with e-Commerce and m-Commerce merchants have a higher risk of identity theft than their counterparts. These specific merchants attribute nearly half of identity theft reported to synthetic identities according to the LexisNexis study.


While the total number of medical/health care industry breaches fell from 2017 to 2018, the number of personally identifiable information (PII) records exposed increased over 85%. There may be less hits and try’s, but fraudsters are getting better at it.


Retail HSA accounts are targeted at a higher rate than employer-based accounts, but they are not excluded. Multiple synthetic fraud identities can make up a complete employer group, according to a Javelin report.


Industry experts say that for the long-term, improved consumer authentication will be essential in the fight against increasingly-sophisticated fraud schemes. If accounts can be reliably linked with genuine, legitimate account-holders, it becomes much harder for fraudsters to operate.