Telephone Phishing Attack: Chicago Medical Records Used

by | Jun 4, 2015

Cybercriminals are stealing healthcare IT devices to gain access to Protected Health Information (PHI) so they can can make false insurance claims, apply for credit, and obtain medical prescriptions and services. This is one of many ways that data is obtained to commit fraud.

A new telephone phishing scam has been uncovered in Chicago. As with spear phishing, the criminals can be very convincing. With a limited amount of personal data about an individual, they are able to obtain much more valuable data, provided they can convince the potential victim to hand it over.

The latest scam seems to involve a HIPAA violation, as the criminals have highly intimate knowledge of the victims and information that could only be located in health records. With the latest campaign, two patients that have reported being called believe the callers had information that only a hospital or their doctor could know.

Not all data breaches supply criminals will a full set of data with which they can use to carry out any number of crimes. Sometimes key information is not present, in this case the criminals look to be after private financial data.

CBS 2 investigator was made aware of the new scam when Naperville resident, Chris Carlin, reported receiving a phone call to her cell phone from an individual who had detailed knowledge of her medical records, prescriptions and past health conditions. She claimed that this data was only givento her doctor, at Advocate Good Samaritan Hospital in Downers Grove.

The caller was trying to get the patient to join a class-action lawsuit against the producer of a prescription drug, Zofran, saying that the anti-nausea medication had been connected to “birth defects and other medical side effects”. With the information the caller was in possession of, Carlin believed there may have been a data violation at the hospital, especially when she was asked for her financial data.

The call aroused her suspicions and she ended it, only to receive a number of other calls from other individuals. According to the report, she is not the only person to have been contacted. The telephone calls also appear to be coming from a number of worldwide regions.

The two patients who have reported being called by the scammers had both received medical treatment from Advocate Health System doctors.

In 2013, Advocate Health System experienced a major data breach that exposed the data of over 4 million people (4,029,530 records). The offices of the healthcare provider were broken into and computers storing unencrypted healthcare information were stolen. Often criminals keep stolen data for some time, and it is only after a number of months or years has passed that the data is sold or used; when the breach victims might be less cautious.

If the Advocate Health System data violation does prove to be the source of the data, many more U.S cresidents are likely to receive calls over the coming weeks, months and years.

Advocate Health System is conducting a review of the incident according to CBS, but has already confirmed that the information apparently in the possession of the thieves was not present on the computer equipment stolen in the robbery, suggestinging that the data has come from another source. Whether this means that there has been another Advocate Health System breach or the data has been taken from another source remains to be seen.

Any individual contacted by telephone by a caller with knowledge of their prescriptions or medical history should never disclose further sensitive details, in particular financial data. Anyone suspecting a telephone phishing attack such as this, where caller is aware of information that is not publicly available, should report the matter to their healthcare supplier, law enforcement and the Federal Trade Commission.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy