Over the past couple of years, both CVS and CMS (the Medicare agency) have suffered data breaches of varying degrees.
The personal information left vulnerable in those breaches runs the gamut from the usual name and address to, in situations related to CMS, hospital account numbers, dates of service, Medicare Beneficiary Identifier (MBI) and/or health insurance claim number for CMS subscribers.
For CVS customers, Twingate reported that the data exposed in some of the breaches also included customer email addresses, user IDs, customer searches on CVS Pharmacy websites for COVID-19 vaccines and other medications, CVS Caremark and Medicare data and potentially compromised personal information.
Added together, scammers may have built a database marrying the information from those breaches together to create a new database that allows the fraudsters to personalize their scams.
And now, it looks like consumers are having to bear the brunt of that shotgun wedding. Twice in the last two weeks, ConsumerAffairs has witnessed calls from someone claiming to be from “CVS,” having the target’s name and address, and asking if they were still experiencing back pain issues. Interestingly, while Google call screener usually flags these calls as “potential scam,” these calls are getting around that filter.
When ConsumerAffairs asked for a website address for the supposed “CVS” so we could “find out more information,” the next sound we heard was a big, fat click.
While we didn’t have the opportunity to get to what the scammers were really after, it’s quite possible that because of the “back pain” reference, it was a version of the back brace scam that’s been out and about for the last year.
Medicare’s Open Enrollment period could mean more of the same
Now that Medicare’s Open Enrollment period has kicked into high gear, Americans should be extra careful for any number of versions of Medicare-related scams. Here are some of what you could be hit with:
- Someone – such as a medical service or equipment provider – offering you an item (such as a back brace, or other orthotics like a power wheelchair or scooter) that Medicare “wants you to have.”
- Someone who’s offering an item or service that Medicare will pay for.
- “New” plastic Medicare cards.
- Calls saying that your Medicare card is no longer valid or that your subscription is about to be canceled
Don’t take any call you don’t recognize
And, whatever you do, if a call comes through from a phone number that you don’t recognize, let it go to voicemail. Attoney Steven Weisman, who runs Scamicide, explains that those calls – such as the “CVS” ones that ConsumerAffairs received– are done through “spoofing.”
Weisman says that spoofing allows a scammer to manipulate your caller ID and make it appear that the call is from the government or some legitimate company when in fact, it is from an identity thief who is eager to steal your money.
“Never give personal information to anyone who calls you on the phone because you can never be sure who is actually on the other end of the line,” he said. And that includes Medicare.
“Medicare will never call people enrolled in Medicare to ask for or check Medicare numbers,” a representative for CMS told ConsumerAffairs.
“We encourage people with Medicare to report if they are receiving such calls or outreach. Anyone can report suspected Medicare fraud by contacting the HHS fraud hotline at 800-447-8477 (which is 800-HHS-Tips),” the agency suggests.
But, if you think someone’s legit…
Scammers are becoming increasingly artful and authentic-sounding, thanks to CVS and the ways they can cobble pieces of personal information together. That puts all of us in a much tougher position, but if we think someone is for real, Roger Grimes, data-driven defense evangelist at KnowBe4, suggests you ask this question:
"Can I call a phone number publicly listed by your company and reach you?" Grimes says that if they say yes and you can verify that the number is truly affiliated with the legitimate company, then that's a good thing.
“You can't rely on the person telling you the phone number or even website to go to. You must be able to find it on the legitimate company's website. You can't even trust Google. Googling a company's phone number will often come back with fake, malicious phone numbers. You have to be sure you're getting a legitimate phone number.”