Crims taking advantage of the ridiculously complex US healthcare billing system

Criminals masquerading as insurers are tricking patients and healthcare providers into handing over medical records and bank account information via emails and text messages, according to the FBI.

In a Friday security alert, the federal cops warned the public to be on the lookout for emails and texts purporting to come from health insurers and claims investigators. Criminals are sending these messages to both patients and healthcare providers alike in this latest healthcare fraud scheme.

"The messages are designed to pressure victims into disclosing protected health information, medical records, personal financial details, or providing reimbursements for alleged service overpayments or non-covered services," the FBI warned.

Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center (Health-ISAC), said his nonprofit's members have also reported an increase in phishing and social-engineering scams targeting healthcare organizations, similar to those detailed in the FBI's alert.

"These incidents often involve adversaries impersonating trusted entities, such as government organizations or established global brand names to deceive people into divulging sensitive information," Weiss told The Register. "The healthcare sector, with its complex billing and procurement processes, unfortunately presents a rich target for this kind of financial fraud."

Criminals frequently use previously leaked data to make their social-engineering attacks more believable, he added. 

"They use stolen information — anything from a partial SSN to the details of a recent vendor transaction — to build a false sense of trust with their target," Weiss said. "It's a classic confidence trick, where a few 'secret' details are used to convince an employee that the entire request is legitimate."

My advice is verify, verify, verify: The single most effective defense is to verify requests out-of-band

While the FBI hasn't blamed these attacks on a particular individual or criminal organization — The Register asked about attribution, and the bureau declined to comment — Weiss said the tactics observed indicate "well-organized, financially motivated cybercriminal groups and, in some cases, cash-hungry state-sponsored actors like North Korea."

"These aren't casual hackers," he added. "They are sophisticated operations that invest time in reconnaissance to make their fraudulent requests appear as legitimate as possible. Their primary goal is direct financial theft through fraudulent wire transfers and payments."

• Qilin ransomware attack on NHS supplier contributed to patient fatality
• Second attack on McLaren Health Care in a year affects 743k people
• Ransomware scum leak patient data after disrupting chemo treatments at Kettering
• Healthcare group Ascension discloses second cyberattack on patients' data

To avoid falling victim to this type of healthcare fraud, the FBI urges people to be wary of unsolicited messages and calls requesting personal information.

Of course, some bills that patients receive from their healthcare providers and calls from insurance adjusters arrive without warning, so it's a good idea to contact providers directly to verify the legitimacy of any messages before sharing personal or health information.

"Historically, we've been warning people about emails that have a sense of urgency, contain grammatical errors or use an uncommon choice of words — but the cybercriminals are leveraging AI, so their email scams are harder to spot nowadays," Weiss said.  

"My advice is verify, verify, verify: The single most effective defense is to verify requests out-of-band," he continued. "If you receive an email or text message asking to change payment information or make an urgent, unexpected payment, do not reply to the email or text message, and do not use contact information from it. Instead, pick up the phone and call your established contact at that vendor using a trusted phone number from your own records." ®