HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

FBI Warns of Ongoing Cybercriminal Campaigns Targeting Healthcare Payment Processors

The Federal Bureau of Investigation (FBI) has issued a TLP:WHITE Private Industry Notification warning about ongoing cybercriminal campaigns targeting healthcare payment processors that attempt to redirect victim payments to accounts under the control of the attackers.

These attacks use social engineering techniques to obtain the login credentials of healthcare payment processors to allow them to divert payments, such as phishing attacks that spoof support centers. The attackers have used publicly available personally identifiable information to obtain access to files, healthcare portals, payment information, and websites.

The goal of these attacks is to change direct deposit information, which in one attack on a large healthcare company in February 2022, resulted in changes to direct deposit information for a consumer checking account that saw payments totaling $3.1 million redirected to the attacker’s account. The same month, a separate attack occurred that used similar techniques to redirect around $700,000.

In April 2022, a healthcare company with 175 medical providers discovered an attack where an employee had been impersonated and Automated Clearing House (ACH) instructions of one of their payment processing vendors were sent that redirected payments to a cybercriminal’s account, resulting in two payments totaling $840,000 being sent to the attacker’s account.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The FBI says between June 2018 and January 2019 at least 65 healthcare payment processors were targeted in the United States and contact information and banking details were changed to direct payments to attacker-controlled accounts, with one of those attacks seeing payments totaling $1.5 million being lost, with the initial access to a customer account being gained through phishing. The FBI warns that entities involved in the processing and distributing healthcare payments through payment processors remain vulnerable to attacks such as this.

Phishing emails are sent to employees in the financial departments of a targeted healthcare payment processor. A trusted individual is often impersonated, and social engineering techniques are used to trick employees into making changes to bank accounts. Login credentials are stolen in these attacks that allow the attacker to make changes to email exchange server configurations and set up custom rules for accounts of interest.

Employees that have been targeted have reported receiving requests to reset passwords and 2FA phone numbers within a short time frame. The attackers change account credentials to allow persistent access, and the employees who had their accounts hacked report being locked out of their payment processor accounts due to failed password recovery attempts.

The FBI has made several recommendations on how to defend against these attacks and reduce the risk of compromise. These include:

  • Ensure endpoint detection software is used on all endpoints, including up-to-date anti-virus and anti-malware solutions
  • Conduct regular network security assessments, penetration tests, and vulnerability scans
  • Provide training to the workforce to teach employees how to recognize phishing and social engineering attacks, and provide an easy way for them to report suspicious emails – such as an Outlook plugin that allows one-click reporting
  • Ensure employees are aware that they must only conduct requests for sensitive information through approved secondary channels
  • Set up multi-factor authentication for all accounts, ideally requiring a physical device for authentication – such as a Yubikey – rather than a one-time code sent to a mobile device
  • Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe to reduce further vulnerability exploitations.
  • Implement policies and procedures for changing existing financial information to include verification through an appropriate, established channel
  • Ensure all accounts have strong, unique passwords set
  • Ensure software is updated and patches are applied promptly to prevent the exploitation of vulnerabilities.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.