Officials Warn of Phone Scams Targeting Hospitals and Patients
Tucked into the University of South Florida’s Tampa campus, the H. Lee Moffitt Cancer Center & Research Institute treats a range of health issues and pioneers research in oncology and drug discovery.
But the Moffitt staff — like hospital workers throughout the country — have struggled to deal with a particular IT problem in recent years: robocalls and phone scams that clog lines and put sensitive data at risk.
In a 90-day period last year, Moffitt received 6,600 fraudulent calls that appeared to come from inside the organization, according to Dave Summitt, the center’s chief information security officer. Hundreds of other calls were spoofed to look like they were coming from federal agencies.
“When our employees answered the phone, they were subjected to an urgent request by the caller who self-identified as a [Department of Justice] employee. They demanded to speak with the named physician — and only that physician — and communicated an urgent problem affecting his medical license number and his Drug Enforcement Agency number,” Summitt recounted at a Congressional hearing last April.
The problem of healthcare phone scams has grown more urgent since then, as hospitals grapple with a surge of patients and other challenges related to the COVID-19 pandemic.
This week, top regulators and law enforcement officials explained how the problem has evolved and described initiatives aimed at putting an end to robocalls affecting hospitals and other organizations.
Phone scams can take several forms, but many are analogous to email phishing attacks. Scammers spoof calls, tricking caller ID systems to display a phone number different from the one from which the call was placed. If a victim believes a call is coming from a cancer center or federal agency, they might be more likely to pick up and disclose sensitive information, such as their credit card number, name, and date of birth.
“What really scares me is that some of these scammers are pretending to be hospitals... People will answer it and they can get taken in by that,” Colorado Attorney General Phil Weiser said Wednesday at a virtual event hosted by USTelecom, a trade association representing the telecommunications industry.
“An example happening now is callers pretending to be the Boulder health department doing contract tracing,” Weiser said. “A call comes in and they say someone you know just got COVID, you need to come in for a test, you need to give your credit card.”
Ajit Pai, Chairman of the U.S. Federal Communications Commission, highlighted during the event the FCC’s new Hospital Robocall Protection Group, which is aimed at bringing together service providers, hospital staff, and federal and state government to find ways to combat fraudulent calls. The group, which is chaired by Summitt, the Moffitt Cancer Center CISO, held its inaugural meeting in late July.
The group is one of several recent government initiatives aimed at stopping robocalls. The TRACED Act, which was signed into law late last year, increases penalties for illegal robocalling and requires telecom carriers to implement a phone number authentication system that improves the accuracy of the caller-ID displayed on phones.
Additionally, the FCC in March issued new rules requiring phone providers to implement call verification technology by June 2021, The Verge reported. The technology, called STIR/SHAKEN, helps verify that the caller-ID information transmitted with a call matches the caller’s actual phone number.
Until those mandates take effect, however, hospitals and patients must be particularly vigilant about healthcare-related phone scams.
“The scammers are clever and they’re going to keep looking for ways to get people to trust them and share information that people will regret sharing,” Weiser said. “The goal is always the same, get people to give up information like their Social Security number, checking account, credit card number, and then they find themselves in a world of hurt.”
Adam Janofsky is the founding editor-in-chief of The Record by Recorded Future. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.