Hackers are stealing millions by breaking into healthcare payment processors to divert payments. The FBI issued a warning this week about the aggressive tactics and skyrocketing costs.
Payment processing vendors in healthcare are business associates so these thefts are HIPAA breaches if protected health information (PHI) has been disclosed. So far it’s not clear whether this is the case, but vendors are vulnerable because the cyber criminals have successfully stolen credentials and financial information. Basic HIPAA compliance requires organizations to evaluate their business associates (and subcontractor BAs) and have business associate agreements with them.
The attacks are aggressive but the tactics are not new. Criminals identify business associate staff from their own social media postings to target them and their employers. They then use social engineering techniques to gain confidence and get the information they need to victimize the employer payment processors. The criminals have obtained access to files, healthcare portals, payment information, and websites. For example, one criminal changed victims’ direct deposit information to a bank account controlled by the attacker, redirecting $3.1 million.
The criminals are using a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access. The amounts stolen are staggering.
Examples cited by the FBI include:
- In April 2022, a healthcare company with more than 175 medical providers discovered an unauthorized cyber criminal posing as an employee had changed Automated Clearing House (ACH) instructions of one of their payment processing vendors to direct payments to the cyber criminal rather than the intended providers. The cyber criminal successfully diverted approximately $840,000 over two transactions before being discovered.
- In February 2022, a cyber criminal obtained credentials from a major healthcare company and changed direct deposit banking information from a hospital to a consumer checking account belonging to the cyber criminal, resulting in a $3.1 million loss.
- In mid-February 2022, in a separate incident a different cyber criminal used the same method to steal approximately $700,000.
- From June 2018 to January 2019, cyber criminals targeted and accessed at least 65 healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts controlled by the cyber criminals. One victim reported a loss of approximately $1.5 million. The cyber criminals used a combination of publicly available personal information and phishing schemes to gain access to customer accounts.
Healthcare payment processing vendors remain vulnerable to exploitation via these methods according to the FBI.
Fight Phishing with Cybersecurity Awareness Training
Each of the FBI’s recommendations to fight this crime is addressed through HIPAA Risk Analysis and the security risk assessment contained in The HIPAA E-Tool®.
Enabling anti-virus and anti-malware protection is the first recommendation and doing regular security assessments is number two. But perhaps the most important and urgent advice is employee training. Criminals exploit weaknesses caused mainly by human error – staff without cybersecurity awareness become targets.
Security awareness training enables staff to detect phishing at work and at home. Contact us to get “Think Before You Click” magnets for your organization.
Business Associate Due Diligence Prevents Crime
Business associate due diligence and up-to-date business associate agreements are also key elements of The HIPAA E-Tool®, with a simple form to help you assess business associate compliance. If you need help, let us know.