Identity thieves have been conducting a telephone phishing (originally defined as the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers, but can include other forms of communication, such as telephone calls) scam on patients of Redington-Fairview General Hospital in Maine. Its patients were targeted with automated calls offering help with paying their hospital bills in an attempt to get them to reveal credit card numbers.
The author finds this scenario totally believable because he was targeted by an email that said that the organization could cut the amount of his credit card debt by 45% and lower his monthly payments significantly. I was a little suspicious at the start because of the old maxim, “If it looks too good to be true, it’s unlikely to be true.”
But I played along, acting interested. I got way more suspicious when the well-educated woman’s voice asked whether I had more than $10,000 in credit card debt. Apparently, the scammer thought that that amount of debt meant that you had some assets that they could go after. But I got really suspicious when she said that I would have to list my bank account number and routing number for electronic withdrawals so that they could take the lesser monthly payments and their service fee out of my account. In my mind, however, the real reason was so that they could clean out my account.
So I called LifeLock,™ my identity theft insurer. I was about halfway through my recitation, when the expert whom I was talking to said, “Fraud.” We talked a few more minutes and then said, “Goodbye.”
But the real issue here is how the scammer got the hospital’s patient information. From a patient directory? Did the directory have information other than the patient’s room number? What information? Does the directory or the Notice of Privacy Practices have a warning about including email addresses or phone numbers and that patients can opt out of the directory? Did the hospital file a security incident report in its HIPAA files and determine whether it was a reportable breach to the patients affected and to DHHS? Even if the scam was not reportable, should the hospital nonetheless notify the affected patients because of their duty to mitigate the harm or potential harm of a breach? The hospital did notify law enforcement.
Remember that how a covered entity or business associate handles a breach is one of the items of interest to DHHS in its audits, and it has imposed civil money penalties as high as $4.3 million for not handling a HIPAA violation properly.
The first step is to take any immediate action to contain the breach, such as notifying law enforcement. Next, the responsible official—often the HIPAA Security Officer—should complete the security incident report form. I have such a form, which I will provide you if you email me at email@example.com. Finally, you determine whether it is a breach or only a security incident and, if it is a breach, whether it is reportable.
You may wish to consider my book How to Handle HIPAA and HITECH Act Breaches, Complaints, and Investigations: Everything You Need to Know, 2nd ed., available at www.veteranspress.com and through Amazon. Premium members can always email me with questions about security incidents at firstname.lastname@example.org.