Scam and credential theft activity spikes during open enrollment: What CISOs need to know

Why open enrollment fuels scam and credential theft campaigns

In a federal courtroom in Connecticut, a data breach case is moving forward that goes straight to the question of how vulnerable health plans are to their vendors when insurance plan open enrollment periods are in full swing.  

Judge Kari A. Dooley of the U.S. District Court for the District of Connecticut is presiding over a data breach case that allegedly struck Cierant Corporation, a Connecticut marketing and communications vendor serving the health plan industry.

“Businesses that handle health insurance data can protect themselves by showing they acted reasonably before a breach ever occurs, meaning they follow recognized security standards, promptly patch vulnerabilities, carefully vet and monitor their vendors, encrypt sensitive data, and maintain a documented incident-response plan,” said Jacey Kaps, a cybersecurity litigator with RumbergerKirk. “Courts do not expect perfection, but they do expect a company to be able to prove it had strong, proactive safeguards in place and reacted quickly and transparently if something went wrong.”

In re Cierant Corporation Data Breach Litigation focuses on the upstream component of these scams: how attackers are getting the health plan data that feeds those scams in the first place. The case consolidates a number of class actions that trace back to a 2024 open enrollment breach involving a third-party file transfer tool.  

How stolen healthcare data powers open enrollment scams

Stolen healthcare data is as good as currency. During open enrollment, that currency buys more convincing scams, higher conversion rates for fraud, and easier routes into Medicare or insurance billing schemes. That is why attackers harvest and buy beneficiary data ahead of and during enrollment season.

Scammers coordinate their phishing and social engineering campaigns against Medicare open enrollment periods, when people expect to receive outreach through email messages or physical mail reminding them about their coverage. Federal and consumer protection agencies typically warn plan holders about open enrollment scams. The Federal Trade Commission has documented this scamming surge year after year and has issued multiple open enrollment scam alerts for Medicare beneficiaries and employers. Stolen health plan data makes these campaigns more convincing because attackers can personalize messages with plan names, provider information, or member ID numbers. In practice, there are two stages. First, customer data is obtained through methods such as:

How attackers obtain health plan data  

• Supply chain exploitation where third parties connected to a provider’s network in some way are compromised by a malicious actor. The attacker then pivots their access to the insurance provider.
• Identity compromise of a user of an insurance provider or connected third party.
• Misconfiguration of any number of system services or settings that have not been hardened appropriately against compromising behavior.
• Abusing and compromising the consumer data collected by brokers used by insurance providers. Data brokers aggregate identifying information about plan holders so they may be better targeted with advertising and custom plan information.  

Scammers then use the stolen information to customize their outreach during open enrollment.

The Justice Department’s 2025 National Health Care Fraud Takedown offers one view into this cycle. Prosecutors charged defendants with buying and selling providers’ patient lists that included names, dates of birth, and Medicare beneficiary identifiers. Some of those sales took place in November 2024, in the middle of Medicare open enrollment. The cases show how upstream data theft and downstream scams are linked by a common asset: stolen health data.

Supply chain software exploits driving healthcare breaches

The Cierant Corporation breach illustrates how supply chain vulnerabilities feed this ecosystem. According to Cierant’s own notice of data incident and its letters to consumers, the company detected suspicious activity on December 10, 2024. Investigators determined that an unauthorized actor had exploited a vulnerability in Cleo VLTrader, a third-party secure file transfer tool, and gained access to files processed on behalf of health plans.

Those files contained names, addresses, dates of birth, dates of provided medical treatment, provider names, medical record numbers, health plan beneficiary numbers, claims numbers, and plan member account numbers. Cierant reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights as affecting 232,506 individuals. The company has said that Social Security numbers and financial account numbers were not involved, but the exposed fields are more than enough to support targeted fraud campaigns.

The timing matters. The intrusion occurred during the 2024 open enrollment period, when member communication and eligibility file transfers were at a peak. Victims began filing lawsuits in mid-2025. On October 9, 2025, the federal court in Connecticut consolidated those suits into In re Cierant Corporation Data Breach Litigation.

For health plans and CISOs, the lesson is straightforward. A vulnerability in a third-party vendor’s tool can quickly become a breach of member data at the precise moment when scammers are preparing their next open enrollment campaigns.

Phishing and social engineering in open enrollment attacks

Phishing and social engineering perform double duty in this ecosystem. Attackers use both upstream to harvest credentials and member details that feed data markets. They also use them downstream to run personalized scams that impersonate plans or enrollment tools. Victims are pushed to share more data about themselves directly with fraudsters.

Phishing trends during open enrollment

Open enrollment attracts more phishing aimed at health benefits. The Federal Trade Commission publishes seasonal advisories that warn about scammers becoming more active during Medicare open enrollment, trying to get money, information, or both. Scam messages often claim to offer help comparing plans, obtaining a new Medicare card, or securing a better deal on coverage. In reality, they surreptitiously capture Medicare numbers, dates of birth, bank details, or insurance portal login credentials.

Because attackers often have partial information from prior breaches, phishing attempts can be highly targeted. Messages may reference the victim’s insurer by name, mention specific types of coverage, or spoof caller ID to appear as if they are coming from trusted sources. For someone already overwhelmed from reviewing complex plan options, that familiarity and implication of trust preys on their stress.

Social engineering targeting health plan staff

The same pattern shows up on the enterprise side. HHS’s Health Sector Cybersecurity Coordination Center and CISA have both issued alerts on social engineering and credential harvesting campaigns that target healthcare organizations. These alerts describe attackers calling help desks, impersonating staff or vendors, and persuading support personnel to reset passwords or enroll unknown endpoint devices onto corporate networks.

Although these campaigns run throughout the year, open enrollment creates a more forgiving environment for social engineers. Staff expect higher contact volumes related to benefits, eligibility, and claims. Attackers exploit that expectation to slip in requests that sound routine but are designed to pivot into internal systems or pull data from enrollment and claims platforms.

When these efforts succeed, attackers can extract the same kind of member information that shows up in the Cierant filings and in other similar data sets at the center of federal fraud cases.

How criminals monetize stolen health plan data

Once criminals have access to stolen or purchased health data, the ways to monetize it are predictable and well documented across enforcement actions and regulatory reports.

1. Direct scams and fraud against victims

Stolen health plan data makes scam outreach attempts seem more credible to victims. Attackers call or message consumers with enough real details to gain trust, then push them to pay for fake services, sign up for bogus plans, or share sensitive financial or medical information. The FTC has reported seasonal spikes in Medicare related scams during open enrollment and continues to encourage beneficiaries to treat unsolicited calls and texts with suspicion.

2. Identity and medical identity theft

With names, dates of birth, member IDs, and provider details, criminals can open new accounts, file false claims, or even obtain medical services in someone else’s name. Medical identity theft is particularly damaging. It can corrupt medical records and create surprise bills that take years to unwind.

3.  Data resale and enriched leads

Beneficiary lists and enriched member profiles have value on their own. The Justice Department’s 2025 takedown included cases where defendants sold batches of patient information for thousands of dollars. These lists can support fraudulent billing operations, shady telemarketing campaigns or support further credential harvesting.

Read more about phishing and credential harvesting techniques

4. Sham billing and insurance fraud

Stolen identifiers open the door to billing victims for services never rendered. Fraudsters submit claims under real beneficiary numbers and sometimes under the names of compromised or complicit providers. Large schemes of this kind formed a significant part of the losses alleged in the national takedown.

5. Account takeover and benefit diversion

If attackers obtain insurance provider login credentials as well as personal identifying information, they can take over member accounts, redirect communications, change reimbursement destinations, and manipulate coverage settings. This type of compromise generates ongoing revenue for the attacker until it is detected and remediated.

6.  Credential stuffing and access resale

Attackers multiply the value of stolen credentials by using them to authenticate to other online services. Data harvested from compromised data brokers can help attackers narrow down other services, like other health-related web portals or financial institutions that may be related to the owner of originally stolen credentials. Those credentials have a high chance of successfully authenticating to those other services, making their resell value much greater.

Why this matters now

The sum of all these stolen components creates a loop of malicious behavior. Vendor breaches like Cierant’s create new pools of available stolen health plan data. Phishing and social engineering harvest more data on top of that. Data markets and fraud operations transform this information into scams and sham billing. Then the cycle repeats against victims now known to be vulnerable to these scams.

The Cierant case is important because it connects that loop back to vendor security. It shows how data stolen during last year’s open enrollment period is surfacing a year later in federal litigation. It also shows how a single file transfer vulnerability at a relatively small marketing vendor can become a legal, financial, and reputational problem for the health plans that rely on it.

Read more about the legal exposure created by vendor breaches

What CISOs and health plans providers should do next

Health plan providers are not just fighting scams for the benefit of their plan members. They are now on beholden to scrutinization by the courts over how they manage vendor risk, monitor third party tools, and respond when supply chain breaches occur. As the current open enrollment season continues, providers must prepare for another onslaught of attacks.

Harden your environment against scams and credential theft

Agnostic hardening checklist

1. Identify management and governance

• Enforce MFA on all enrollment and benefits-related systems.
• Enable continuous monitoring protections to identify suspicious user sessions, like those that detect when a user is logged in from an atypical location or IP address.
• Require Just-in-Time (JIT) administrative access on all devices and platforms hosting health and benefit data.
• Disable legacy and out-of-date email access protocols, like POP3 and older versions of SMTP and IMAP.

2. User security awareness and social engineering defense

• Enroll employees into a yearly cybersecurity awareness training program from an established training provider.  
• Train staff to report suspicious insurance-related text messages and phone calls immediately to your organization’s information security team.
• Inform employees to never submit insurance or other benefits documents via direct email messages, and to only use a provider’s secure web portal only to use a provider’s secure web portaled email address.
• Explain that sensitive information, like social security numbers, passwords, or even MFA one-time codes should not be shared over the phone.
• Train staff to recognize the official web portal and email messages from your organization’s HR team and your benefits and health plan providers.

3. Third-party and supply chain risk management

• Require vendors handling employee benefits data to enforce MFA on their own network and systems along with strict access governance.
• Enforce contractual requirements for breach notification and credential compromise reporting from all benefits providers. Ask vendors to provide reports from their last security incidents or breaches, if any.
• Mandate that third-party health and benefits vendors maintain security certifications, like SOC 2 or HITRUST. Ask them to provide written attestation that their networks have no unresolved critical vulnerabilities.
• Avoid spoofed emails by monitoring incoming messages from vendor domains using enhanced authentication checks like DMARC, DKIM, and SPF.

4. Endpoint and network controls

• Disable out-of-date, insecure network protocols like SSL, SMB, and older versions of TLS.
• Enforce application allowlisting policies that prevent users from executing unknown and unapproved software, ensuring they do not install or run malicious software that might steal their credentials.
• Require secured, monitored VPN or Zero Trust network access for remote employees.

ThreatLocker hardening checklist

1. Allowlisting

Explicitly approve the applications you trust to run within your organization and block anything else by default, preventing malicious, credential-stealing software from installing or running.

2. Ringfencing

Stop malware from leveraging your approved applications. Even if a user clicks a phishing link in their email inbox, Ringfencing will prevent it from automatically running or navigating to a malicious network destination.  

3. Elevation Control

Elevation Control applies a Just-in-Time access framework to all applications, allocating administrative access exactly when it’s needed, for only the strict amount of time it’s needed.

4. Network Control

Use dynamic Network Control ACLs to deny traffic to addresses, subnets, and domains that aren’t owned by your benefits providers.

5. Configuration Manager

Automatically enforce secure system configuration settings against endpoints according to policies you set, ensuring attackers cannot intercept credentials sent over insecure protocols.

6. Defense Against Configurations (DAC)

Discover insecure configurations across endpoints and ThreatLocker products with DAC and learn how to bring them into compliance with relevant security frameworks.

7. Detect and Cloud Detect

Configure automatic endpoint detection and response (EDR) protections across the local network and connected M365 tenants that alert your security team to suspicious logins from potential scammers.

8. Cloud Control

Stop attackers from using stolen M365 credentials by letting Cloud Control automatically learn and update the IP addresses associated with your legitimate users, preventing tenant access from unpermitted network locations.

9. The Unified Audit

See every user account behind all ThreatLocker Zero Trust product events and actions through the Unified Audit.

Frequently Asked Questions

Why do scams increase during open enrollment?
Scams increase because attackers know that consumers expect emails and calls about their benefits during this period. Stolen health plan data makes these scams more convincing.

How does stolen healthcare data fuel open enrollment fraud?
Attackers use real member information to impersonate insurers, redirect benefits, file false claims, or run Medicare scams with much higher success rates.

What role do vendors play in health plan breaches?
Vendor vulnerabilities, such as the Cierant breach, can expose large volumes of member data that attackers later use for downstream fraud campaigns.

How can health plans reduce scam and credential theft risk?
By hardening vendor oversight, enforcing MFA, segmenting systems, monitoring file transfer tools, and using detection controls to spot credential harvesting.

Why is phishing so effective during open enrollment?
Phishing works because messages appear highly relevant, often referencing real plan names or member IDs sourced from previous breaches.