Medical Records Used for Telephone Phishing Scam in Chicago

Cybercriminals are breaking into healthcare IT systems and stealing equipment to gain access to highly valuable Protected Health Information (PHI). With this data criminals can make bogus insurance claims, apply for credit, and obtain medical prescriptions and services. This is not the only way that data is obtained to commit fraud.

In Chicago this week, a new telephone phishing scam has been uncovered. As with spear phishing, the perpetrators can be very convincing. With a limited amount of personal information about a person, they are able to obtain much more valuable data, provided they can convince the potential victim to divulge it.

The latest scam appears to involve a HIPAA breach, as the criminals have highly intimate knowledge of the victims and information that could only be found in health records. With the latest scam, two patients that have reported being called claim the callers had information that only a hospital or their doctor would know.

Not all data breaches provide criminals will a full set of data with which they can use commit any number of crimes. Sometimes key information is missing, in this case the criminals appear to be after financial information.

Hello Mrs. Smith, I am calling about your Zofran prescription…

A CBS 2 investigator was alerted to the new scam when Naperville resident, Chris Carlin, reported receiving a phone call to her cell phone from a person who had intimate knowledge of her medical records, prescriptions and past health conditions. She claimed that this information was only provided to her doctor, at Advocate Good Samaritan Hospital in Downers Grove.

A class-action lawsuit has been filed and you are entitled to compensation…..

In this case of telephone phishing, the caller was trying to recruit the patient to join a class-action lawsuit against the manufacturer of a prescription drug, Zofran, saying that the anti-nausea medication had been linked to “birth defects and other medical side effects”. With the information the caller had, Carlin believed there may have been a data breach at the hospital, especially when she was asked for her financial information.

The call aroused her suspicions and she hung up, only to receive a number of other calls from other people. According to the report, she is not the only person to have been called. The telephone calls also appear to be coming from a number of worldwide locations.

The two patients who have reported being contacted by the scammers had both received medical services via Advocate Health System doctors.

Has Advocate Health System Data Been Sold to Criminals?

Two years ago, Advocate Health System suffered a major data breach that exposed the data of over 4 million individuals (4,029,530 records). The offices of the healthcare provider were broken into and computers containing unencrypted healthcare information were stolen. Often criminals sit on stolen data for some time, and it is only after a number of months or years has passed that the data is sold or used; when the breach victims are likely to be less cautious.

If the Advocate Health System data breach does prove to be the source of the data, many more U.S citizens are likely to receive calls over the coming weeks, months and years.

Advocate Health System is conducting an investigation into the incident according to CBS, but has already confirmed that the information apparently in the possession of the thieves was not present on the computer equipment stolen in the burglary, indicating that the data has come from another source. Whether this means that there has been another Advocate Health System breach or the data has been obtained from another source remains to be seen.

In the meantime, any person contacted by telephone by a caller with knowledge of their prescriptions or medical conditions should never disclose further sensitive details, in particular financial information. Anyone suspecting a telephone phishing scam such as this, where information is known by the caller that is not publicly available, should report the matter to their healthcare provider, law enforcement and the Federal Trade Commission.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.