Hackers Impersonating Revenue Cycle Employees According to Recent AHA Warning 

Sarasota, FL (WorkersCompensation.com) – Last month, the Justice Department announced that they had essentially “hacked the hackers” in an extensive undercover investigation of the Blackcat ransomware group, also known as ALPHV or Noberus. Blackcat is a notorious cyber-crime organization that has attacked over 1,000 entities in the U.S., including government and healthcare facilities. 

Healthcare has seen a steady increase in the number of cyber-attacks the last couple of years. Typically, hackers have accessed organizations by either tapping into their servers, or phishing via emails. However, according to a recent warning from the American Hospital Association hackers have changed their tactics once again. 

According to the announcement hackers are targeting revenue cycle employees, and other employees that access to critical financial information, such as bank accounts. The hackers are compromising the employee’s emails and then contacting the employee’s IT deparment to request password resets, and multi-factor authentication enrollment for a new device, such a cell phone. 

After initiating a password reset and multi-factor authentication, the hackers then have full access to the employee’s emails and all applications, including those applications associated with banking. According to the announcement, hackers have used this method to contact payment processors, and then divert payments owed to other bank accounts that the hackers have set up. Investigators believe that the funds are eventually transferred to off shore accounts. 

John Riggi, AHA’s national advisor for cybersecurity and risk, believes that consistent application of even simple security protocols can help combat this occurring in organizations. “The risk posed by this innovative and sophisticated scheme can be mitigated by ensuring strict IT help desk security protocols, which at a minimum require a call back to the number on record for the employee requesting password resets and enrollment of new device. Organizations may also want to contact the supervisor on record of the employee making such a request,” Riggi advises. 

Additionally Riggi recommends that organizations contact the FBI at https://www.ic3.gov/ to file a report. Riggi states that the FBI has been able to recover diverted payments if reports are made within 72 hours of the incident. 

Riggi also stated that as a result of becoming a victim of this particular scheme, one large organization is now requiring employees to make request password resets and multi-factor authentication enrollment for new devices in person to their IT department. While this method certainly lessens the chance of this type of hack occurring, it’s not always feasible for larger organizations with multiple locations, or remote workers that may work clear across the county. With many healthcare organizations merging, and growing more siloed as a result, verifying authenticity of help desk and other type requests can be a challenge.

Share This Article: