Hackers use stolen identities, IT help desk to redirect hospital funds

Editor's Note: 

In a sophisticated new scheme, hackers are stealing the identity of hospital employees in financial roles—such as revenue cycle employees—and then reaching out to the hospitals’ IT help desk in order to reset passwords, receive access codes, and redirect funds. 

The American Hospital Association (AHA) sent out an alert January 12 about the social engineering scheme, which they said is being orchestrated by a foreign-based threat actor who receives multi-factor identification codes from IT staff using the stolen hospital employee information. Once the password was reset, the hacker was able to then use the hospital employee’s email account to change payment instructions with payment processors and divert payments to fraudulent US bank accounts, and ultimately overseas.

The AHA encourages hospitals to be vigilant about this latest hacking method and to take steps to prevent becoming compromised. This includes implementing strict IT help desk protocols, including contacting the supervisor of an employee making these password reset requests, or even, as one large health system did, requiring employees to make such requests in person. 

The AHA adds that organizations who are subject to any type of payment diversion scheme should immediately notify their financial institution and the FBI at www.ic3.gov, which can help recover the diverted payments if notification is made within 72 hours.