Data Breach Risks During Annual Enrollment

Why do data breach risks increase during annual benefits enrollment?

October 6, 2017

Cybercriminals, identity thieves and hackers are willing to take drastic measures to infiltrate the data-rich annual enrollment process.

After all, your organization is handling and transferring huge volumes of sensitive information – between companies, employees and suppliers. Health insurance information is among the most targeted. On average, medical records sell for $20 on the black market while Visa® or MasterCard® data only goes for around $4.

Hackers can exploit insurance data in multiple ways — from receiving medical treatment or prescription drugs in the victim’s name, to redirecting mail using the victim’s address or opening new lines of credit with their Social Security number.

How can you mitigate data breach risks during annual enrollment?

  1. Create a more security-conscious work environment
    Work closely with IT to understand your risks and how to appropriately address them. Encourage your team to remain vigilant of cyber threats.

  2. Clearly communicate the enrollment processes?
    Ensure all enrollment materials are sent in a clear and secure manner. Clearly map out the enrollment process so employees can anticipate requirements and better detect enrollment-focused phishing scams.

  3. Ensure that defenses are in place
    Restrict access to enrollment documents, shred sensitive documents, and enforce a “clean desk” policy. Work with IT to ensure anti-virus software is up-to-date and all applications are regularly patched, outline and relay expected employee conduct online (including search, download and social media restrictions) and secure Wi-Fi networks.

  4. Create an anonymous fraud hotline
    Tips are the leading detection method of occupational fraud accounting for 39 percent of all cases. Create an anonymous tip hotline and encourage employees to call if they suspect fraud.

  5. Develop a data breach response plan
    Your plan should include appropriate contacts (law enforcement, insurance companies and consumer protection agencies), IT procedures, and announcement/post-breach material for impacted individuals. Ensure a dedicated phone number and website is created to help answer breach-related questions.