FBI warns of criminals attacking healthcare payment processors

Millions of dollars have been stolen from healthcare companies after fraudsters gained access to customer accounts and redirected payments.

In a newly-published advisory directed at the healthcare payment industry, the FBI warns that cybercriminals are using a cocktail of publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites.

With compromised login credentials for healthcare payment processors exploited, the criminals divert payments to bank accounts under their own control.

As the FBI describes, in February 2022 a malicious hacker who managed to obtain access to accounts at a major healthcare company managed to change direct deposit banking information from a hospital to that of the criminal’s own checking account, resulting in a loss of $3.1 million loss. In the same month, a different cybercriminal used the same method to steal approximately $700,000 in a separate incident.

Then two months later, a healthcare company with over 175 medical providers discovered that a cybercriminal posing as an employee had changed payment instructions to direct funds, successfully stealing $840,000 in two transactions before being discovered.

And the threat is clearly not new. From June 2018 to January 2019, the FBI reports, cybercriminals broke into at least 65 healthcare payment processors across the United States and replaced legitimate customer banking and contact information with accounts controlled by the criminals. One victim reported losing approximately $1.5 million as a result.

Tell-tale signs that a healthcare organisation may be being targeted include:

• Targeted phishing emails, in particular those targeting the financial departments of healthcare payment processors.
• Social engineering attempts to obtain access to internal files and payment portals.
• Unwarranted changes in email exchange server configuration and custom rules for specific accounts.
• Requests for employees to reset both passwords and 2FA phone numbers within a short timeframe.
• Employees reporting they are locked out of payment processor accounts due to failed password recovery attempts.

The advice from the FBI for organisations that are being targeted will be familiar to anyone who is responsible for protecting companies outside of the healthcare industry, but is worth repeating:

• Ensure that anti-virus and other security software is kept updated and configured appropriately.
• Check regularly that your network security is compliant with standards and regulations. Perform vulnerability scans and penetration tests to help with this.
• Train staff on how to identify and report phishing and social engineering attacks. Consider options to hamper the success rate of phishing attacks, such as multi-factor authentication. Have employees report suspicious emails, changes to email exchange server configurations, denied password recovery attempts, and password resets within a short timeframe for investigation.
• Advise staff to be cautious of revealing sensitive information (such as login credentials) over the phone or via the web.
• Write an incident response plan, in accordance with HIPAA privacy and security rules.
• Mitigate against vulnerabilities which may be related to third-party vendors, review and understand vendors’ risk thresholds and what may constitute a breach of service, and alert employees when a communication originates from outside the organisation.
• Put company policies in place which require that any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors, be properly verified. Any direct request for account actions needs to be verified through the appropriate, previously established channels before a request is sanctioned.
• Ensure all passwords are strong, unique passphrases that are not reused anywhere else.
• In the wake of any possible system or network compromise, implement mandatory passphrase changes for all affected accounts.
• Apply patches in a timely fashion.