Case study
A small, rural hospital contracted with an emergency medical group for emergency department (ED) coverage. The group was paid monthly by EFT from the hospital’s account to the ED group’s account.
In June, the hospital received an email invoice from the ED group with instructions to send payment to a new account. The hospital sent the $200,500 payment to the new account on July 10.
On July 12, the payment was returned because the new account was frozen. On July 16, the ED group emailed new account information and instructions to the hospital. The hospital sent the $200,500 payment to the new account.
In early August, the ED group sent the next monthly invoice by email with instructions to send the funds to another new account. The hospital sent the $206,500 payment on August 13.
It was later discovered that the requests to send the funds to the new accounts were fraudulent. The ED group never sent the emails requesting EFT account changes. The cyber criminals who sent the fraudulent emails and set up the accounts ended up collecting $407,000 from the hospital.
When the hospital discovered that the money had been sent to an invalid account, the loss was reported to the hospital’s insurance agent and cyber liability carrier. The hospital was advised to take the following steps.
- File a complaint with the local police department.
- Submit a complaint to the FBI’s Internet Crime Complaint Center (IC3).
- Contact the bank’s fraud department to flag the transactions as fraudulent.
- Contact the local FBI office.
After the incident, the hospital began using the following fraud prevention measures.
- A change in policy that requires all wire transfer procedures to have oral confirmation from vendors and contractors if there are any changes in payment instructions.
- Managers are now required to send emails using two-step account verification procedures.
- Employees in the IT, Finance, and Revenue Cycle Departments attend required training on cyber security and cyber fraud risks.
Risk management considerations
Social engineering typically involves a hacker using a compromised business email account to request money, passwords, banking information, or personally identifying information from the holder of the compromised account. The victim is deceived into thinking the request is from a legitimate source, such as a friend or a financial institution with whom the victim has a business relationship. (1)
- Be suspicious of emails from unknown sources, especially those requesting sensitive information or stressing the urgency and importance of the request.
- Train employees to recognize suspicious emails and forward them to someone who manages cyber security.
- Require EFT changes to be verified using another method of communication. For example, if the EFT change was sent by email, verify by phone using a known phone number. Have employees document this verification, and have a process for them to follow if the change cannot be verified. (1)
- Establish an incident response plan to initiate in case a phishing attack is successful.
- Use technology to detect and test emails for malicious content.
- Require multifactor authentication.
- Conduct regular security training for employees and provide testing to ensure understanding.
- Follow your instincts, and always report suspicious emails. (2)
While many cyber liability policies include coverage for cyber fraud and cyber deception, there have been cases where coverage was denied because the covered entity did not verify the requested change in a manner other than the manner it was received. (If the request was sent by email, verify the request by calling a known phone number.)
Sources
1. International Risk Management Institute. Glossary: Social engineering. Available at https://www.irmi.com/term/insurance-definitions/social-engineering. Accessed September 19, 2024..
2. Department of Health and Human Services. Health industry cybersecurity practices. Available at https://www.phe.gov/Preparedness/planning/405d/Documents/HICP-Main-508.pdf . Accessed September 19, 2024. Log in required.
