FBI Warns Hackers Are Targeting Healthcare Payment Systems And Making Off With Millions
The Cyber Division of the US Federal Bureau of Investigation (FBI) has published a notice warning the healthcare industry of cyberattacks targeting healthcare payment processors. The attacks generally come in the form of phishing attacks that leverage employees’ publicly available Personally Identifiable Information (PII) and social engineering tactics to gain unauthorized access to confidential files, healthcare portals, payment information, and related websites. According to the notice, these attacks are costing victims millions of dollars in losses.
The FBI Cyber Division highlights examples of this form of cyberattack, beginning with a spree of attacks spanning from June 2018 to January 2019 that targeted at least 65 healthcare payment processors. The attackers accessed these systems and entered information associated with bank accounts under their control in place of customers’ banking and contact information. According to the notice, one victim of these attacks reported a loss of roughly $1.5 million.
Two unrelated attacks in February of this year replaced hospitals’ direct deposit information with that of consumer checking accounts controlled by the attackers. These two attacks cost their victims $700,000 in one case and a whopping $3.1 million in the other. Lastly, the notice details an attack this April in which a threat actor managed to access a payment processing vendor for a healthcare company while posing as an employee of said company. The threat actor used this unauthorized access to change the Automated Clearing House (ACH) instructions, directing payments away from their intended recipients and into an account controlled by the attacker. This attack diverted two transactions totaling roughly $840,000 dollars before it was discovered.
The FBI Cyber Division highlights examples of this form of cyberattack, beginning with a spree of attacks spanning from June 2018 to January 2019 that targeted at least 65 healthcare payment processors. The attackers accessed these systems and entered information associated with bank accounts under their control in place of customers’ banking and contact information. According to the notice, one victim of these attacks reported a loss of roughly $1.5 million.
Two unrelated attacks in February of this year replaced hospitals’ direct deposit information with that of consumer checking accounts controlled by the attackers. These two attacks cost their victims $700,000 in one case and a whopping $3.1 million in the other. Lastly, the notice details an attack this April in which a threat actor managed to access a payment processing vendor for a healthcare company while posing as an employee of said company. The threat actor used this unauthorized access to change the Automated Clearing House (ACH) instructions, directing payments away from their intended recipients and into an account controlled by the attacker. This attack diverted two transactions totaling roughly $840,000 dollars before it was discovered.
The FBI’s notice directs healthcare companies to watch for the following indicators of payment-related cyberattacks:
Besides watching for these indicators, the notice recommends that cybersecurity teams implement precautionary measures, including anti-virus software, regular network security assessments, employee training, multi-factor authentication (MFA), incident response plans, and requiring additional verification steps for any changes to financial information.
- Phishing emails, specifically targeting financial departments of healthcare payment processors.
- Suspected social engineering attempts to obtain access to internal files and payment portals.
- Unwarranted changes in email exchange server configuration and custom rules for specific accounts.
- Requests for employees to reset both passwords and 2FA phone numbers within a short timeframe.
- Employees reporting they are locked out of payment processor accounts due to failed password recovery attempts.
Besides watching for these indicators, the notice recommends that cybersecurity teams implement precautionary measures, including anti-virus software, regular network security assessments, employee training, multi-factor authentication (MFA), incident response plans, and requiring additional verification steps for any changes to financial information.
