Tuesday, December 6, 2016

User Account abandonment policy

I have changed employer. From GE Healthcare to By Light. Both companies offer their employees Health Insurance through United Healthcare

I 'figured' that I could continue to use my existing United Healthcare web login account to access both the old and new insurance account. Turns out this is not the way they do it. They want me to create a new web login for the new insurance account. I guess this is logical, and clean for them. It is inconvenient for me to have two accounts at the same web site, but it is also possible.

Chat session with UnitedHealthcare
Paula B. has entered the session.
JOHN MOEHRKE: Hi Paula.
Paula B.: Thank you for being a loyal member with UnitedHealthcare. How can I help you today?
Paula B.: How are you?
JOHN MOEHRKE: I have changed employer
JOHN MOEHRKE: My new Employer also uses UHC
JOHN MOEHRKE: so, how do I get my web login to recognize this new account?
Paula B.: I understand. For the website to recognize your new account through your new employer, you will need to re-register with your new account information.
JOHN MOEHRKE: so... I need to create a new login user? Or is there some process I can use to use the current login?
Paula B.: No, I'm sorry, you cannot use the old information. If I am not mistaken, it will continue to be associated with the old account.
JOHN MOEHRKE: okay. so how do I close the old login account? Meaning, how do I prevent it from ever being used again?
Paula B.: Once you create your new and everything has been update throughout all the databases that old account will no longer be active.

What I was worried about is that after I stop using my old login, their is risk that the account is not monitored and thus possible to be attacked. The attack would need to avoid the normal detection on accounts. But as we have seen this week with Credit-Cards; a smart attacker figures out was to avoid detection. In the case of Credit-Cards, they used many storefronts to try various codes. In the case of a user login, they might simply try a small number (1-3) attempts each day, presuming the detection resets each day. Given that I would not be logging in occasionally, as I have abandoned the account, the attacker has years and years to try.

The good news is that United Healthcare has a policy that covers this. They know that the account is explored. Their login shows me this. They allow me to login for 18 months, so that I can get to old information. Often times this old information might be needed for TAX purposes. So, 18 months is reasonable. After 18 months they totally disable the account. I tried to get details on just what this means, but given the responses I did get up to this point gives me some comfort that they did this right.

Paula B.: Once you create your new and everything has been update throughout all the databases that old account will no longer be active.
JOHN MOEHRKE: when you say... no longer be active... does that mean that it would be impossible to log-in to it? Sorry to be specific, I am a Privacy/Security expert, and don't like abandoned accounts that have healthcare information within them. If I stop using it, I can't tell if an attacker is trying to break in.
Paula B.: I understand.
Paula B.: You will have access to it for up to 18 months. After that point, the information will not longer accessible on myuhc.com.
JOHN MOEHRKE: okay, so that is a specific policy? I like that answer. It gives the user (me in this case) a chance to get old information I might need... while having a specific deadline. Thanks.
JOHN MOEHRKE: can you point to where that policy statement is written? (I trust, but... as I said, I am a Privacy/Security expert... so I like to verify)
Paula B.: You're welcome! I understand, but I am unable to point to where that is written. That is a UnitedHealthcare standard.
JOHN MOEHRKE: okay. thanks
Paula B.: If there is nothing else, thank you chatting today. I hope you have a great day!
Wish I had a policy fragment to point at... I guess I should set a reminder to try in 18 months...