Scam calls/emails



  • We've recently had three incidents where something happened at our clinic - and then the patient was contacted by some other third party to see about taking their business elsewhere.

    ***Edited - ***

    1. a patient scheduled a procedure - within the week the patient received a postal mailer about that procedure from some other company.

    2. Patient indicated that she received an email (at 2 AM) from one of our physicians about a weight loss program. (FYI - our physicians don't email patients - ever, that I know of) Key thing of note - the patient hadn't been seen in over 18 months, then suddenly they get this email about weightloss. There has been zero movement on the patients EHR account as far as I can tell.

    3. just reported - a patient paid their bill here, the following day received a phone call - hey we see you just paid that Doctors office (naming my business) - how would you like a CC with a lower rate to make charges on?

    Anyone heard of anything like this before?



  • It's starting not too look good. It looks like this may be more than a spear phishing attack at this point. Are you using any type of centralized logging? I would start looking for strange logs.

    If you dont have a SIEM it might be a good time to deploy wazuh agents and ELK on your network.



  • This sounds like either you were compromised and don’t know it or your providers compromised and don’t know it. Try to find which one of your systems would be common between these.

    For example, when somebody pays her bill which one of your systems is updated



  • Or a mole.



  • Create a dozen new patients set them up in all your systems, schedule appointments, etc - then monitor



  • @Alex-Jones said in Scam calls/emails:

    Create a dozen new patients set them up in all your systems, schedule appointments, etc - then monitor

    @Dashrender said in Scam calls/emails:

    Anyone heard of anything like this before?

    If you call me tomorrow, I'd be happy to let you set me up as a patient, and I'll even allow you to make a small charge to my CC. Then when I get a call, I'll lead them on and take whatever bait they offer and hopefully get enough info for you to do some more investigation.



  • @JaredBusch said in Scam calls/emails:

    This sounds like either you were compromised and don’t know it or your providers compromised and don’t know it. Try to find which one of your systems would be common between these.

    For example, when somebody pays her bill which one of your systems is updated

    The breach is of course the first thing we thought of.

    Now that I'm writing this - I'm going to see who took the CC payment and who made the appointment for the first and third issues.
    CC's go to an online processor via a webpage, nothing else. We manually also make a note of the transaction, with no tracking of the CC info itself into our EHR/billing system.



  • @Dashrender said in Scam calls/emails:

    In the first case - a patient scheduled a procedure - then within a day, received an email providing information about that procedure.

    Did this person provide CC info?

    @Dashrender said in Scam calls/emails:

    And lastly, just reported - a patient paid their bill here, then received a phone call

    How much time passed from the bill payment to the phone call?



  • @JasGot said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    In the first case - a patient scheduled a procedure - then within a day, received an email providing information about that procedure.

    Did this person provide CC info?

    It's possible, I'll have to check tomorrow.



  • @JasGot said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    And lastly, just reported - a patient paid their bill here, then received a phone call

    How much time passed from the bill payment to the phone call?

    same day, beyond that - again, we'd have to ask. I know I heard about it around 1:30pm today.



  • @Dashrender said in Scam calls/emails:

    same day, beyond that - again, we'd have to ask. I know I heard about it around 1:30pm today.

    So, in my mind, I'd start looking for a hack that is "live" meaning someone is actually monitoring the activity; or a corrupt employee.

    From what I have seen in hacks like this that are NOT "live" it can take days for the info to propagate to the call centers who are trying to scam people. For it to happen so fast likely means you are a direct target by a small time hacker (ie; not automated, and/or not on a large scale) or an employee is part of a ring trying to make a quick buck.

    Tread lightly and carefully, if it turns out to be an employee, you'll want to get the FBI involved before you confront them. I say FBI, because as soon as you use a computer to commit a crime, the FBI wants to take the lead.



  • Well, my boss ran reports - there is no common employee to these incidents. So far, the only common thing is the EHR itself.

    Found the details on #2 - I'll update the OP.



  • @Dashrender said in Scam calls/emails:

    Well, my boss ran reports - there is no common employee to these incidents. So far, the only common thing is the EHR itself.

    And there was another incident to add to the list - I'll update the OP.

    Is your EHR hosted or on-prem?



  • @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    Well, my boss ran reports - there is no common employee to these incidents. So far, the only common thing is the EHR itself.

    And there was another incident to add to the list - I'll update the OP.

    Is your EHR hosted or on-prem?

    Hosted - I believe it's a true cloud based app, but I'm not 100% sure. The system has something like 36 DBs and clients are spread over these DBs, but it's definitely not a 1 to 1 DB/client setup. I assume it's something akin to O365.



  • We are going to be doing a report to see if there are any common IPs accessing these three patients.



  • @Dashrender said in Scam calls/emails:

    We are going to be doing a report to see if there are any common IPs accessing these three patients.

    Also check and see if the patients are in the same DB?



  • @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    We are going to be doing a report to see if there are any common IPs accessing these three patients.

    Also check and see if the patients are in the same DB?

    They are - all of our patients are in a single DB.. each client of the EHR is in a single DB. I.e. we are a client, and all of our patients are in a single DB.



  • an FYI in case anyone cares... athenaNet has a single user database for their entire system. So if you work at two different hospital/clinics that both use athenaNet, then you only have one account that accesses both systems...



  • @Dashrender said in Scam calls/emails:

    an FYI in case anyone cares... athenaNet has a single user database for their entire system. So if you work at two different hospital/clinics that both use athenaNet, then you only have one account that accesses both systems...

    Yeah, unfortunately that is extremely common practice. They just use a different identifier to segment customers.



  • @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    We are going to be doing a report to see if there are any common IPs accessing these three patients.

    Also check and see if the patients are in the same DB?

    They are - all of our patients are in a single DB.. each client of the EHR is in a single DB. I.e. we are a client, and all of our patients are in a single DB.

    I would put a call in to the EHR for sure and tell them what's been happening.



  • @Dashrender said in Scam calls/emails:

    an FYI in case anyone cares... athenaNet has a single user database for their entire system. So if you work at two different hospital/clinics that both use athenaNet, then you only have one account that accesses both systems...

    So all it really takes is someone that has changed jobs a number of times to companies that all use this same athenaNet?



  • @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    We are going to be doing a report to see if there are any common IPs accessing these three patients.

    Also check and see if the patients are in the same DB?

    They are - all of our patients are in a single DB.. each client of the EHR is in a single DB. I.e. we are a client, and all of our patients are in a single DB.

    I would put a call in to the EHR for sure and tell them what's been happening.

    yup, started the process on Friday - then the line got disconnected.

    I have to call them back today.



  • @travisdh1 said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    an FYI in case anyone cares... athenaNet has a single user database for their entire system. So if you work at two different hospital/clinics that both use athenaNet, then you only have one account that accesses both systems...

    So all it really takes is someone that has changed jobs a number of times to companies that all use this same athenaNet?

    I'm not sure what you are asking?

    There is only one athenaNet. The way they want you to handle users is to never delete them from your system - so in our case we would have somewhere around 50+ people in our system that no longer work here all taking up space in our drop downs because the system has no way of hiding, yet leaving them in, ex-employees. So we say screw that - and delete them. This of course causes us a different problem, once we delete them, we can no longer run reports on them, we have to contact athenaHealth (the company) and have them run the reports for us,

    We'd be happy to leave the users in as no access users, if there was a way to remove them from all of the active user lists - which are used everyday multiple times per day by nearly everyone - as a way to assign tasks to others.



  • @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    We are going to be doing a report to see if there are any common IPs accessing these three patients.

    Also check and see if the patients are in the same DB?

    They are - all of our patients are in a single DB.. each client of the EHR is in a single DB. I.e. we are a client, and all of our patients are in a single DB.

    I would put a call in to the EHR for sure and tell them what's been happening.

    yup, started the process on Friday - then the line got disconnected.

    I have to call them back today.

    Hopefully you didn't get disconnected today?



  • @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    We are going to be doing a report to see if there are any common IPs accessing these three patients.

    Also check and see if the patients are in the same DB?

    They are - all of our patients are in a single DB.. each client of the EHR is in a single DB. I.e. we are a client, and all of our patients are in a single DB.

    I would put a call in to the EHR for sure and tell them what's been happening.

    yup, started the process on Friday - then the line got disconnected.

    I have to call them back today.

    Hopefully you didn't get disconnected today?

    Sadly, the call back didn't happen today.



  • @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    We are going to be doing a report to see if there are any common IPs accessing these three patients.

    Also check and see if the patients are in the same DB?

    They are - all of our patients are in a single DB.. each client of the EHR is in a single DB. I.e. we are a client, and all of our patients are in a single DB.

    I would put a call in to the EHR for sure and tell them what's been happening.

    yup, started the process on Friday - then the line got disconnected.

    I have to call them back today.

    Hopefully you didn't get disconnected today?

    Sadly, the call back didn't happen today.

    Figures.



  • @scottalanmiller said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    @dafyre said in Scam calls/emails:

    @Dashrender said in Scam calls/emails:

    We are going to be doing a report to see if there are any common IPs accessing these three patients.

    Also check and see if the patients are in the same DB?

    They are - all of our patients are in a single DB.. each client of the EHR is in a single DB. I.e. we are a client, and all of our patients are in a single DB.

    I would put a call in to the EHR for sure and tell them what's been happening.

    yup, started the process on Friday - then the line got disconnected.

    I have to call them back today.

    Hopefully you didn't get disconnected today?

    Sadly, the call back didn't happen today.

    Figures.

    Oh, this was on me, not them. I'm just swamped with user issues - training a new user, etc.



  • This post is deleted!


  • I've made the call back.

    the EHR vendor say - nope not us - unless we've had such a catastrophic hack that we can't detect it in our logs.



  • @Dashrender said in Scam calls/emails:

    the EHR vendor say - nope not us - unless we've had such a catastrophic hack that we can't detect it in our logs.

    "Not in our logs" is a pretty weak defense of not having been hacked.


Log in to reply