Citizens Memorial Hospital Latest Victim of W-2 Phishing Scam

Another healthcare provider has announced that one of its employees has been fooled by a W-2 phishing scam. Citizens Memorial Hospital in Bolivar, MO., says a request for W-2 Form data was sent to one of its employees by email.

The employee responded to the request believing the message was legitimate and had been sent internally. W-2 Forms for all employees at the 86-bed hospital who had taxable earnings for the 2016 fiscal year were sent via email to the scammers as requested. No announcement has been made about the number of employees impacted by the incident. The hospital discovered it was the victim of a scam the following day.

The incident has been reported to both the FBI and the IRS and affected employees have been notified and offered 2 years of identity theft protection services without charge through Experian. The incident is not a HIPAA breach as HIPAA Rules do not apply to employee data.

To prevent repeat attacks, Citizens Memorial Hospital will be enhancing its data security education programs. Staff will receive further training to help them identify any further phishing scams sent via email.

The W-2 phishing scam has already claimed many victims this year. The scammers send an email to a member of the payroll/HR department requesting W-2 Form data for all employees who worked for the organization in 2016. The scammers usually impersonate the CEO/CFO and use an email address similar to that used by the targeted organization. Oftentimes, there is one letter missing from the domain part of the email address. A casual glance at the sender’s address is unlikely to reveal that the email is a scam. A careful check will reveal that the email account has been spoofed.

This type of scam was popular last tax season. There were at least 145 victims of the scam last year and tens of thousands of employees had their Social Security numbers, personal information, and earnings disclosed to tax fraudsters. Earlier this month, the IRS issued a warning to educational institutions, nonprofits, tribal organization and healthcare organizations about the W-2 phishing scam advising them to be on high alert. is tracking reports of W-2 Form phishing scams. There have already been 62 organizations that have announced they have been fooled by the W-2 phishing scam in 2017.

In addition to Citizens Memorial Hospital, the following healthcare organizations have reported that an employee responded to the scam and disclosed employee data:

  • Adventist Health, Tehachapi Valley, CA
  • Campbell County Health, WY
  • EHealthInsurance, CA
  • Point Coupee Hospital, LA
  • SouthEast Alaska Regional Health Consortium, AK

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.