Telephone Phishing Attack: Chicago Medical Records Used

Cybercriminals are stealing healthcare IT devices to gain access to Protected Health Information (PHI) so they can can make false insurance claims, apply for credit, and obtain medical prescriptions and services. This is one of many ways that data is obtained to commit fraud.

A new telephone phishing scam has been uncovered in Chicago. As with spear phishing, the criminals can be very convincing. With a limited amount of personal data about an individual, they are able to obtain much more valuable data, provided they can convince the potential victim to hand it over.

The latest scam seems to involve a HIPAA violation, as the criminals have highly intimate knowledge of the victims and information that could only be located in health records. With the latest campaign, two patients that have reported being called believe the callers had information that only a hospital or their doctor could know.

Not all data breaches supply criminals will a full set of data with which they can use to carry out any number of crimes. Sometimes key information is not present, in this case the criminals look to be after private financial data.

CBS 2 investigator was made aware of the new scam when Naperville resident, Chris Carlin, reported receiving a phone call to her cell phone from an individual who had detailed knowledge of her medical records, prescriptions and past health conditions. She claimed that this data was only givento her doctor, at Advocate Good Samaritan Hospital in Downers Grove.

The caller was trying to get the patient to join a class-action lawsuit against the producer of a prescription drug, Zofran, saying that the anti-nausea medication had been connected to “birth defects and other medical side effects”. With the information the caller was in possession of, Carlin believed there may have been a data violation at the hospital, especially when she was asked for her financial data.

The call aroused her suspicions and she ended it, only to receive a number of other calls from other individuals. According to the report, she is not the only person to have been contacted. The telephone calls also appear to be coming from a number of worldwide regions.

The two patients who have reported being called by the scammers had both received medical treatment from Advocate Health System doctors.

In 2013, Advocate Health System experienced a major data breach that exposed the data of over 4 million people (4,029,530 records). The offices of the healthcare provider were broken into and computers storing unencrypted healthcare information were stolen. Often criminals keep stolen data for some time, and it is only after a number of months or years has passed that the data is sold or used; when the breach victims might be less cautious.

If the Advocate Health System data violation does prove to be the source of the data, many more U.S cresidents are likely to receive calls over the coming weeks, months and years.

Advocate Health System is conducting a review of the incident according to CBS, but has already confirmed that the information apparently in the possession of the thieves was not present on the computer equipment stolen in the robbery, suggestinging that the data has come from another source. Whether this means that there has been another Advocate Health System breach or the data has been taken from another source remains to be seen.

Any individual contacted by telephone by a caller with knowledge of their prescriptions or medical history should never disclose further sensitive details, in particular financial data. Anyone suspecting a telephone phishing attack such as this, where caller is aware of information that is not publicly available, should report the matter to their healthcare supplier, law enforcement and the Federal Trade Commission.