Federal authorities are alerting healthcare providers and suppliers to a rise in phishing and impersonation scams designed to steal sensitive personal and financial information. The Centers for Medicare & Medicaid Services (CMS) and the Federal Bureau of Investigation (FBI) have each issued warnings about separate but similar fraud schemes currently circulating in the healthcare sector.
CMS recently identified a phishing scam in which fraudsters impersonate CMS and send fraudulent fax requests for medical records, claiming the information is needed for a Medicare audit. These faxes are not legitimate, as CMS does not initiate audits by requesting records via fax. Healthcare organizations are advised to verify any audit communications with their designated Medical Review Contractor before responding.
The FBI has also issued a public warning about criminals impersonating legitimate health insurers and their investigative teams. These individuals are contacting patients and providers via email or text, posing as trusted healthcare authorities. The fraudulent messages often ask for protected health information, medical records, personal financial data, or reimbursement for supposed overpayments or non-covered services. The messages may use urgent language to pressure recipients into acting quickly before verifying legitimacy.
To mitigate the risk of falling victim to these scams, healthcare organizations should exercise caution when receiving unsolicited faxes, emails, texts, or phone calls requesting sensitive information. It is important to avoid clicking on suspicious links or attachments and to confirm the legitimacy of any unusual requests directly with the organization they purport to represent. Implementing strong passwords, enabling multi-factor authentication where available, and maintaining updated security software and operating systems on all devices are recommended security measures.
Organizations that suspect they have received fraudulent requests or have been targeted by such scams should contact their Medical Review Contractor for CMS-related concerns. Suspected impersonation scams should be reported to the FBI’s Internet Crime Complaint Center at www.ic3.gov, providing as much identifying information as possible.
Compliance Perspective
Issue
Healthcare organizations face increasing threats from scams that exploit gaps in communication and verification processes. Fraud schemes often involve impersonation of government agencies, insurers, or auditors to gain access to sensitive information. These tactics can lead to the unauthorized release of protected health information, financial losses, and potential violations of privacy and security regulations. Unauthorized disclosures can result in violations of federal laws such as the Health Insurance Portability and Accountability Act (HIPAA), as well as CMS Conditions of Participation. An effective compliance and ethics program must include safeguards to identify and respond to suspicious requests, especially as fraudulent tactics continue to evolve.
Discussion Points
- Review and update your facility’s policies and procedures for handling requests for medical records, billing information, or other sensitive data. Ensure procedures are in place to verify the legitimacy of audit or information requests before responding.
- Provide regular training to staff on recognizing common signs of fraudulent requests, such as unexpected fax transmissions or unsolicited emails and texts. Emphasize the procedure for verifying requests through official channels and remind staff never to share patient or financial information without proper authorization.
- Conduct periodic audits to assess how requests for sensitive information are handled. Verify that staff follow verification protocols and understand their responsibility to report suspicious or unauthorized requests to supervisors, the compliance officer, or via the anonymous hotline.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*