How to Recognize and Report Healthcare Scams for Ultimate Patient Protection 

The healthcare sector continues to be a primary target for cyberattacks, causing profound, real-world impacts on patient care, data security, and financial loss. Cybercriminals are focused on one thing: making money. They don’t care who they hurt along the way, whether it’s hospitals, patients, or healthcare providers. These cyberattacks have costly digital and real-world consequences, which make it even more important to be able to recognize, report, and stop these attacks to minimize harm. Recognizing and reporting scams in the healthcare sector is crucial for protecting sensitive patient data, financial assets, and maintaining operational continuity. Understanding why the healthcare sector is a key target for attackers and common tactics of healthcare scams is the key to being a part of the solution to stop these attacks in their tracks. 

Why the healthcare sector is a top target

Healthcare organizations store a treasure trove of sensitive personal and medical data, making them lucrative targets for data breaches, ransomware, and other cyberattacks or fraudulent activities. Personal information from data breaches can be used to enable follow-on attacks like targeted social engineering or fraudulent activity. For instance, on the dark web, medical records can be sold for up to 50 times more than credit card numbers because credit cards can be cancelled. 

Disruptions to healthcare services can have severe consequences, making organizations more likely to pay ransoms to restore critical systems. Healthcare’s significance as critical infrastructure makes it an attractive target for politically motivated threat actors, as well as financially motivated cybercriminals, who could be interested in medical research and development for economic espionage and intellectual property (IP) theft, highly targeted patient data, or sector disruption as a form of state-backed aggression during conflicts. 

Vulnerabilities are quite prevalent across the sector due to outdated IT infrastructure and a large attack surface. Cloud-based services, third-party integrations, and Internet of Medical Things (IoMT) devicescreate more entry points for attackers. Exploited edge devices can include those from Citrix, Cisco, Fortinet, and Ivanti.

All these factors make the healthcare sector an attractive target for cyberattacks. 

Healthcare cyberattacks are highly impactful

The healthcare sector is disproportionately targeted compared to other sectors. In recent years, the sector has faced a higher number of incidents and greater financial losses compared to many other sectors.   

The impact of these attacks can be severe, ranging from data breaches and financial losses to disruptions in patient care and stealing medical records for ransom demands. Stolen data can be used for fraud or extortion, while stolen credentials can enable initial access for a whole host of follow-on activities. 

Data breaches in healthcare averaged $10 million between 2020 and 2024, making the cost of data breaches in healthcare higher than in any other industry. Breaking that figure down further, the average cost per organization in 2024 reached $4.74 million, a 5% increase from the previous year. The numbers are just as concerning, if not more so, on the patient side. In 2024, an estimated 276 million patient records were compromised, equating to approximately 758,000 records breached daily. Victims of medical identity theft spent an average of 210 hours and $2,500 out of pocket to mitigate the damage. The Change Healthcare breach in February 2024 demonstrates the high cost to both the business and patient sides. In this incident, the BlackCat ransomware group gained initial access to Change Healthcare’s network via a remote access Citrix portal that did not have multi-factor authentication enabled. This single breach affected nearly 200 million individuals and cost an estimated $2.46 billion in operational damages and recovery expenses across the industry. 

Ransomware poses a significant threat to healthcare. According to a recent Semperis report, more than three-quarters (77%) of healthcare organizations were targeted by ransomware in the past year, and 53% of these attacks were successful. The DaVita ransomware attack that was reported earlier this year led to $13.5 million in direct costs to restore their system and increased patient care expenses. Interlock ransomware claimed to have stolen approximately 1.5 TB of data. 

Attacker methods 

Cyberattacks in the healthcare sector target a wide range of individuals, from patients to healthcare providers and payment processors. 

The primary ways attackers can make a profit are extortion/ransomware and reusing or selling data to enable other attacks. The impact of these attacks can be severe, ranging from data breaches and financial losses to real-world disruptions affecting patient care. Stolen data can be used for fraud or extortion, and oftentimes, stolen legitimate credentials via phishing campaigns, infostealers, or supply chain compromises are the vehicle to enable these attacks. Credentials can provide attackers with access to internal systems with sensitive data or allow them to deploy malware for further infection or ransomware to extort victims.  

Some of the most effective attack techniques targeting the healthcare sector include phishing, vishing (voice phishing), smishing (text phishing), vulnerability exploitation, and business email compromise (BEC). A report from Darktrace found that phishing (32%) and edge infrastructure vulnerabilities (36%) comprised over two-thirds of healthcare breaches. A significant portion of phishing attacks impersonated third-party vendors. 

Examples of scams: 

• Check Point researchers detected a phishing campaign impersonating legitimate service providers to steal sensitive employee or consumer data. The campaign targeted approximately 300 organizations and, in some cases, included a phone number for recipients to call where cybercriminals attempted to get people to reveal sensitive personal details. 
• Insurance scams are a common robocall tactic that commonly spike during healthcare Open Enrollment season, although attackers can use similar strategies at any time of year. One reported insurance robocall campaign spoofed the number from Blue Cross Blue Shield to impersonate the insurance company. 
• Fraud schemes via phone calls or door-to-door solicitors have become more common targeting the Medicare population. Oftentimes, these scammers pretend to be representatives from Medicare or an insurance plan offering no or low-cost medical items and seek to collect personal information. 
• There has been an increase in fraud schemes involving companies that supposedly provide telehealth or telemedicine services, taking advantage of the growing acceptance of these remote services. These schemes often involve companies billing for services never rendered, providing unnecessary services or equipment, or engaging in kickback schemes. 

AI-powered tactics are intensifying the threat, enabling more effective, wider-scale attacks. Generative AI tools can be used to create counterfeit medical records, carry out more convincing phishing campaigns at scale, develop malware, and even alter diagnostic imaging results from X-rays and MRIs. AI bots can disrupt healthcare platforms by disrupting services via distributed denial-of-service (DDoS) attacks, enabling fraud like booking fake appointments, spreading misinformation, and more. 

Key characteristics of healthcare scams 

Scammers often use social engineering techniques to exploit human psychology and get around security defenses without having to resort to technical vulnerabilities, bypassing technical defense cheaply and reliably. Social engineering targets people, not systems. Attackers take advantage of trust and routine to get credentials or approvals. 

Key indicators of potential scams include impersonation, urgency and pressure, and requests for sensitive information. Threat actors frequently pose as legitimate health insurance companies, doctors, or government agencies to build trust and increase their chances of success to gain personal information or access to systems. Health scammers extensively use urgency and pressure tactics to cloud judgement, prevent verification, and coerce individuals into quickly providing sensitive information or money. This may come in the form of limited time offers, urgent health crises, or the threat of immediate consequences (like insurance coverage about to expire). 

How to protect yourself: Best practices for recognizing scams

Strong multi-factor authentication (MFA), verification policies, targeted training, and rapid incident response make some of the biggest differences to defend against scams and other social engineering attacks. 

• Strengthen identity and access management. Implement strong, unique passwords across all accounts and phishing-resistant MFA for an additional layer of security so that even if an attacker does get your credentials, they can’t simply plug them in and gain access. Also review and enforce stricter verification procedures for help desk and IT support to prevent social engineering manipulation. 
• Don’t answer calls from numbers you don’t recognize. Oftentimes, scammers will spoof calls to appear to be coming from a trusted health organization or a local number to increase the chances of answering. If you answer the call but become suspicious or feel pressured, hang up and call the supposed caller back on the official line provided on the company or government agency’s website to verify. 
• Avoid falling victim to social engineering tactics. Slow down, trust your gut, and question what any email, text, or caller is asking you to do. Don’t let fear or panic back you into a corner and make you feel powerless or reactive. It’s easier said than done in the moment, but the pressure could be intentional to manipulate you to more easily fall for a scam or social engineering scheme. 
• Guard your personal information closely. Scammers may impersonate healthcare providers or practitioners to gain your trust. Never give out personal information like Social Security numbers, Medicare ID numbers, passwords, or other personal information in response to unexpected calls or if you suspect any activity. 

Reporting scams

Reporting scams is critical to disrupt criminal operations and protect others from these malicious activities. 

• Internal reporting: For employees, the first step is to report the incident to their organization’s IT security or incident response team so they can take immediate action. 
• Law enforcement: Report cyber scams to the FBI Internet Crime Complaint Center (IC3) and www.ic3.gov. The Federal Trade Commission (FTC) also collects reports on various scams and fraud. 
• Regulatory bodies: Healthcare-specific regulatory bodies such as the Department of Health and Human Services (HHS) or local health authorities may have specific channels for reporting cyber incidents and breaches. Be aware of local reporting requirements. For instance, some organizations must notify the Australian Signals Directorate (ASD) within 72 hours of making a ransomware payment. Additionally, under Australia’s Notifiable Data Breach (NDB) scheme, an organization or agency must notify affected individuals and the Office of the Australian Information Commissioner about an eligible data breach.
• Information sharing groups: A rising tide lifts all ships.Information Sharing and Analysis Centers (ISACs) facilitate information sharing about threats and vulnerabilities within various sectors to help share critical intelligence with other organizations. A dedicated threat intelligence team or even an individual tasked with monitoring open-source reporting can provide insights into attacker trends and actionable indicators of compromise (IoCs).

Fostering a culture of cybersecurity awareness and following robust reporting protocols enables the healthcare sector to enhance its resilience against persistent threats from scams and social engineering attacks.