August 12, 2024

Aetna's Medicare Advantage Member Rewards Website Also Rewarding For Hackers

 By Alan Mittermaier - President HealthMetrix Research Inc.
      This email address is being protected from spambots. You need JavaScript enabled to view it. 

      How secure are Medicare Advantage member account websites?  In my case, I discovered recently that my Aetna Medicare Advantage member rewards account was an easy target for a hacker who cashed in on reward points and a $90 digital gift card.  Upon unsuccessfully logging in to my account to renew a prescription, Aetna's customer service informed me my user name and email address had been changed April 4.  The hacker did not waste time getting to my rewards page to check the boxes for health services eligible for reward points -- vaccinations (15 points), wellness visit (25 points), health home visit (50 points) -- then selecting to receive the $90 Home Depot digital gift card that was issued the same day April 4.  Estimated transaction time for the hacker to login and redeem reward points might have taken 7-10 minutes. A reverse search for the email account This email address is being protected from spambots. You need JavaScript enabled to view it. yielded no results indicating this was a disposable fake address that replaced my original address.

     What measures did Aetna take to verify the unauthorized changes?  Below is the April 4 email message I received (but neglected to notice) indicating that I had accessed Aetna's 'forgot user name' feature.  While this generic email might have been a red flag to contact Aetna, there was minimal detail provided to get my attention and take action.  Even if I had responded immediately to Aetna's April 4 notification, the account hacker would have already requested the gift card and exited my account.  A more detailed notification would have provided good reason to act, e.g., "You recently requested changing your user name to ABCxxx123 and email address to This email address is being protected from spambots. You need JavaScript enabled to view it..  Please reply or call customer service within 24 hours to confirm both changes."  

    What preventive security measures should Aetna and its Medicare Advantage members take to protect their accounts?  Following a 90-minute customer service phone call, Aetna offered to create a two-step verification for making member account changes.  The second step requires providing my Medicare card number prior to making account changes.  Still more evidence that Aetna's firewall for protecting member accounts is vulnerable -- my wife experienced the same incident May 16 when her rewards account was fraudulently hacked and a $90 digital gift card was issued.  This repeated pattern -- 1) changing a member's user name and email address, then 2) immediately filling out member's eligible rewards activities in order to request a gift card -- should be a red flag for suspicious activity.  Finally, Aetna security should conduct reverse email searches to determine whether a member's new email address is likely to be fake. 

    Bottomline?  Even if this does not constitute a broader security breach that compromises personal medical records, Aetna is obligated to notify all members to login to their accounts to determine whether hackers have changed user names and email addresses.  Additionally, Aetna should offer the two-step verification option to all members instead of only doing so for members who report hacking incidents.  All members deserve to know and trust that Aetna will provide full transparency and assurance that maximum security measures are in place to protect member accounts.