Scam calls/emails

Dashrender

We've recently had three incidents where something happened at our clinic - and then the patient was contacted by some other third party to see about taking their business elsewhere.

***Edited - ***

1. a patient scheduled a procedure - within the week the patient received a postal mailer about that procedure from some other company.

2. Patient indicated that she received an email (at 2 AM) from one of our physicians about a weight loss program. (FYI - our physicians don't email patients - ever, that I know of) Key thing of note - the patient hadn't been seen in over 18 months, then suddenly they get this email about weightloss. There has been zero movement on the patients EHR account as far as I can tell.

3. just reported - a patient paid their bill here, the following day received a phone call - hey we see you just paid that Doctors office (naming my business) - how would you like a CC with a lower rate to make charges on?

Anyone heard of anything like this before?

IRJ

It's starting not too look good. It looks like this may be more than a spear phishing attack at this point. Are you using any type of centralized logging? I would start looking for strange logs.

If you dont have a SIEM it might be a good time to deploy wazuh agents and ELK on your network.

JaredBusch

This sounds like either you were compromised and don’t know it or your providers compromised and don’t know it. Try to find which one of your systems would be common between these.

For example, when somebody pays her bill which one of your systems is updated

JasGot

Or a mole.

Alex Jones

Create a dozen new patients set them up in all your systems, schedule appointments, etc - then monitor

JasGot

@Alex-Jones said in Scam calls/emails:

Create a dozen new patients set them up in all your systems, schedule appointments, etc - then monitor

@Dashrender said in Scam calls/emails:

Anyone heard of anything like this before?

If you call me tomorrow, I'd be happy to let you set me up as a patient, and I'll even allow you to make a small charge to my CC. Then when I get a call, I'll lead them on and take whatever bait they offer and hopefully get enough info for you to do some more investigation.

Dashrender

@JaredBusch said in Scam calls/emails:

This sounds like either you were compromised and don’t know it or your providers compromised and don’t know it. Try to find which one of your systems would be common between these.

For example, when somebody pays her bill which one of your systems is updated

The breach is of course the first thing we thought of.

Now that I'm writing this - I'm going to see who took the CC payment and who made the appointment for the first and third issues.
CC's go to an online processor via a webpage, nothing else. We manually also make a note of the transaction, with no tracking of the CC info itself into our EHR/billing system.

JasGot

@Dashrender said in Scam calls/emails:

In the first case - a patient scheduled a procedure - then within a day, received an email providing information about that procedure.

Did this person provide CC info?

@Dashrender said in Scam calls/emails:

And lastly, just reported - a patient paid their bill here, then received a phone call

How much time passed from the bill payment to the phone call?

Dashrender

@JasGot said in Scam calls/emails:

@Dashrender said in Scam calls/emails:

In the first case - a patient scheduled a procedure - then within a day, received an email providing information about that procedure.

Did this person provide CC info?

It's possible, I'll have to check tomorrow.

Dashrender

@JasGot said in Scam calls/emails:

@Dashrender said in Scam calls/emails:

And lastly, just reported - a patient paid their bill here, then received a phone call

How much time passed from the bill payment to the phone call?

same day, beyond that - again, we'd have to ask. I know I heard about it around 1:30pm today.

JasGot

@Dashrender said in Scam calls/emails:

same day, beyond that - again, we'd have to ask. I know I heard about it around 1:30pm today.

So, in my mind, I'd start looking for a hack that is "live" meaning someone is actually monitoring the activity; or a corrupt employee.

From what I have seen in hacks like this that are NOT "live" it can take days for the info to propagate to the call centers who are trying to scam people. For it to happen so fast likely means you are a direct target by a small time hacker (ie; not automated, and/or not on a large scale) or an employee is part of a ring trying to make a quick buck.

Tread lightly and carefully, if it turns out to be an employee, you'll want to get the FBI involved before you confront them. I say FBI, because as soon as you use a computer to commit a crime, the FBI wants to take the lead.

Dashrender

Well, my boss ran reports - there is no common employee to these incidents. So far, the only common thing is the EHR itself.

Found the details on #2 - I'll update the OP.

dafyre

@Dashrender said in Scam calls/emails:

Well, my boss ran reports - there is no common employee to these incidents. So far, the only common thing is the EHR itself.

And there was another incident to add to the list - I'll update the OP.

Is your EHR hosted or on-prem?

Dashrender

@dafyre said in Scam calls/emails:

@Dashrender said in Scam calls/emails:

Well, my boss ran reports - there is no common employee to these incidents. So far, the only common thing is the EHR itself.

And there was another incident to add to the list - I'll update the OP.

Is your EHR hosted or on-prem?

Hosted - I believe it's a true cloud based app, but I'm not 100% sure. The system has something like 36 DBs and clients are spread over these DBs, but it's definitely not a 1 to 1 DB/client setup. I assume it's something akin to O365.

Dashrender

We are going to be doing a report to see if there are any common IPs accessing these three patients.

dafyre

@Dashrender said in Scam calls/emails:

We are going to be doing a report to see if there are any common IPs accessing these three patients.

Also check and see if the patients are in the same DB?

Dashrender

@dafyre said in Scam calls/emails:

@Dashrender said in Scam calls/emails:

We are going to be doing a report to see if there are any common IPs accessing these three patients.

Also check and see if the patients are in the same DB?

They are - all of our patients are in a single DB.. each client of the EHR is in a single DB. I.e. we are a client, and all of our patients are in a single DB.

Dashrender

an FYI in case anyone cares... athenaNet has a single user database for their entire system. So if you work at two different hospital/clinics that both use athenaNet, then you only have one account that accesses both systems...

IRJ

@Dashrender said in Scam calls/emails:

an FYI in case anyone cares... athenaNet has a single user database for their entire system. So if you work at two different hospital/clinics that both use athenaNet, then you only have one account that accesses both systems...

Yeah, unfortunately that is extremely common practice. They just use a different identifier to segment customers.

dafyre

@Dashrender said in Scam calls/emails:

@dafyre said in Scam calls/emails:

@Dashrender said in Scam calls/emails:

We are going to be doing a report to see if there are any common IPs accessing these three patients.

Also check and see if the patients are in the same DB?

They are - all of our patients are in a single DB.. each client of the EHR is in a single DB. I.e. we are a client, and all of our patients are in a single DB.

I would put a call in to the EHR for sure and tell them what's been happening.