Social Engineering Examples in Healthcare | How Cybercriminals Steal Data

Every year, cybercriminals exploit private data from thousands of businesses and individuals across the globe. According to Check Point Research, medical organizations suffered over 1,400 digital breaches per week in 2022 — a significant increase from the previous year. Identifying social engineering examples in healthcare can help you reduce the risk of your protected health information (PHI) falling into the wrong hands.

In this article, you will learn about social engineering schemes, how to avoid them, and what to do if you suspect an attack. Safeguarding medical records and private information doesn’t need to be a hassle. Once you finish reading, contact ChartRequest to learn more about how our health information management technology can provide a secure platform for your PHI.

In the modern digital age, hackers deploy countless tactics to infiltrate and exploit private information from healthcare organizations. Many of these methods involve brute-force password entry, SQL injection attacks, and trojan horse ransomware. Still, experienced hackers know that the fastest way into a database is through the cooperation of those closest to the system — typically, office employees, custodians, or novice IT workers.

Social engineering involves targeting a victim to disclose confidential or personal information with manipulation, coercion, or deception. Cybercriminals can utilize this tactic in numerous ways, depending on the target and the target’s baseline security limitations. Social engineering takes place through a variety of channels, including:

Social media direct messages (DMs)
Over the phone (scam calls)
Email
In-person (word of mouth)
Third-party applications

According to data collected by Proofpoint in 2019, researchers discovered that social engineering played a role in nearly 98% of all recorded cyber attacks. Moreover, 70% of confidential data breaches began with social engineering tactics. These numbers emphasize the importance of investing in effective cybersecurity policies, products (like ChartRequest’s release of information platform), and comprehensive employee training in the healthcare industry.

Cybercriminals could attempt to breach your protected health information database at any moment. Understanding the five most common social engineering attacks can help you prevent an accidental healthcare disclosure before it even begins. Let’s take a look at some social engineering examples in healthcare and apply them to real-world scenarios:

Phishing

Digital phishing is a hacker’s favorite weapon. These social engineering attacks mask fraudulent email links as legitimate. Malicious email links may look like they come from a trusted source (Google, Amazon, or a bank) but navigate users to malware.

Clicking on a malicious link may allow the hacker to hijack your passwords, secure networks, or PHI database within seconds. Some experienced cybercriminals even code malware to steal thousands of pages worth of medical documents in mere milliseconds.

Phishing scams do not always install malware onto a victim’s computer. Instead, they may prompt the user to voluntarily disclose personal information, like passwords, usernames, or security questions. The hacker can use that information to access a healthcare organization’s database at a later time.

In 2020, Magellan Health — a Fortune 500 health insurance provider — suffered a detrimental phishing attack by a hacker impersonating a legitimate client. The network breach was fast, exposing the private records of over a million Magellan Health members. Company investigations and corresponding incident reports concluded that the attack compromised nearly two million electronic records.

Baiting

Baiting is another social engineering attack designed to lure victims into compromising their computers with malware. Hackers may try to bait victims by using one or more of the following methods:

Flash Drives: A cybercriminal may place a flash drive loaded with malware in a conspicuous area where the target victim is prone to view it. The victim may pick up the flash drive and insert it into their computer out of curiosity or to see if they can identify the owner. At this point, the hacker can activate the malware and infiltrate the user’s computer, compromising stored health information.

Monetary Promises: Some hackers may try to bait victims by promising money or other rewards. Like phishing, they may encourage the victim to click on a malicious link, input personal data into a website, or download fraudulent software.

Urgent Messages: Cybercriminals may try to create a sense of danger or urgency for the victim. Messages like “22 Viruses Detected On Your Network! Click Here to Resolve Now!” can tempt uninformed users into making major mistakes.

Baiting attacks often result in ransomware, or software designed to lock authorized users out of a database until they pay a sum of money to the hacker. Cybercriminals may threaten to release PHI or other personal information if victims do not meet demands.

In 2012, Reveton ransomware gained notoriety for its aggressive baiting methods. Virus engineers created software titled “Police Trojan” to intimidate victims into believing that law enforcement found illegal activity on their computers. Hackers encouraged victims to click a link and pay their attackers to unlock their screens.

Social engineering examples in healthcare highlight the threat baiting poses to modern clinics and hospitals. Unfortunately, a breach in one secure network can lead to the unauthorized distribution of countless protected health documents.

Managing a social media profile is essential to everyday life, especially if you promote a healthcare business online. However, hackers can exploit non-secure social media channels by sending fraudulent URLs via direct messages. Falling for social media scams, like clickbait articles, cryptocurrency links, or other out-of-place content can expose your network to cyberattacks.

It’s crucial to avoid accessing and using personal social media accounts on your practice’s office computer or tablet. Additionally, you should ensure that a dedicated social media specialist is in charge of any professional profiles to monitor activity and safely use resources.

The Federal Bureau of Investigation (FBI) issued a scam warning for healthcare employees in Fall 2022. They claimed that a scammer cell targeted many physicians over Facebook, Instagram, and LinkedIn, impersonating legitimate law enforcement agencies. The cybercriminals threatened to revoke their victims’ medical licenses or even raid their homes if they did not comply with demands.

The FBI discouraged healthcare professionals from disclosing personal identifying information (PII) or PHI to anyone online without verifying their credentials.

Tailgating

A tailgating attack is somewhat risky for hackers despite being common in closed-office settings. Tailgating is the act of an unauthorized individual gaining access to secure locations by watching or following close behind an authorized individual.

Bad actors may tailgate when:

Authorized individuals attempt to access information on public computers
Employees leave office doors open and poorly monitored
Distracted employees do not notice someone looking over their shoulders while using passwords

For example, suppose an authorized physician uses a password to access their patient database — they walk away from the computer, and an unauthorized worker secretly goes through records while the database is still open. In this case, the unauthorized worker “tailgated” the physician to steal or view confidential medical documents.

Pretexting

Healthcare employees are particularly vulnerable to pretexting attacks. Pretexting is similar to phishing in that hackers deceive victims into sharing personal information, passwords, or other confidential data. However, hackers typically deploy pretexting methods to carefully nudge users into a long-term cyber attack.

Pretexting can make cyberattacks seem less malicious during initial interactions. Hackers may use pretexting to earn trust and develop a fraudulent personality before delivering the final phase of the attack. On an organizational level, pretext hackers may:

Pretend to be a patient looking to access their medical documents
Impersonate a vendor seeking a face-to-face meeting in hopes of accessing sensitive medical databases
Masquerade as a government official or employee with seemingly professional credentials and logos

Pretexting social engineering examples in healthcare may include the spear-phishing attack on Anthem in January 2015. Hackers sent a string of phishing emails to Anthem employees from a known or trusted address, encouraging them to disclose confidential information. Consequently, unauthorized individuals gained access to the electronic protected health information (ePHI) of nearly 79 million members.

Falling behind on your data security protocols can land you in hot water, no matter the size of your facility or healthcare provider. Not even the largest healthcare organizations are immune to social engineering attacks. Here are three of the most impactful record leak cyber attacks in recent history:

Centers for Medicare and Medicaid Services

In 2023, the Centers for Medicare and Medicaid Services reported a data breach that exposed the personal information and PHI of over 2 million individuals. Investigators concluded that a hacker accessed the company’s MOVEit file transfer software via a security vulnerability. The exposed data included telephone numbers, birth dates, names, and Medicare beneficiary identifiers.

Welltok

Welltok is a reputable patient engagement organization that handles millions of individuals’ Social Security numbers, email addresses, and prescription treatment codes. In December 2023, a hacker used social engineering tactics to break through secure access points in Colorado, exposing the PHI of over 8 million Welltok users. The company issued response letters to its members, outlining the breach and further steps to mitigate losses.

IBM

IBM experienced a cyberattack in September 2023 in which several unauthorized users accessed a secure, third-party database. The attack compromised over half a million individuals’ contact information, health insurance information, and medications.

Social engineering attacks may seem intimidating, but you can easily avoid them with the proper vigilance. Consider the following preventative measures to ensure the security of your PHI:

Verify Credentials Before Responding

Don’t be quick to trust strangers online. Always conduct the proper research to verify that an email address or phone number originates from a legitimate person or institution.

It’s best not to click on any links, profiles, or contact information in a suspicious message. Hackers may try to set malware traps in their emails.

Watch for Malicious Links

Don’t click a suspicious link. Hover your mouse over the URL to see if the metadata matches the hyperlink.

For example, an email with a link to “security.go0gle.com” may seem trustworthy at a glance. However, hovering over the text may expose a hidden URL, like “http://www.app.63%5c1.download.73%77%data.com.”

Avoid Suspicious Files

Installing or downloading a suspicious file can compromise your entire digital infrastructure. Always ensure that you have permission from the admin before adding anything to your hard drive.

After reviewing the common examples of social engineering in healthcare, do you worry that cybercriminals have your PHI documents in their sights? You can protect your information by:

Reporting the Incident: Contact your manager or administrator if you receive a suspicious email or direct message. IT professionals may be able to track and quarantine the hacker to prevent accidental record disclosures.

Checking for Additional Breaches: IT professionals should review data logs, code, and vulnerable software for additional security breaches. The sooner they can identify the hack, the faster they can respond to protect your PHI.

Protecting Existing Files: Backing up or moving files to a secure records platform can safeguard them from common social engineering attacks. Also, using a secure release of information software like ChartRequest ensures data is safe at rest and in transit.

Updating Your Security Policy: Your current cybersecurity policy may be out of date. This problem could result in exploitable cracks throughout your network. Update your policies regularly, and watch for developing technology that may make it easier for hackers to breach your information.

Let ChartRequest Optimize Your Record Exchange Security Strategy

Keeping your protected health information safe will significantly reduce your risk of experiencing identity theft, blackmail, or other disclosure-related disasters. An effective cybersecurity policy will also keep you compliant with HIPAA standards and regulations if you own a medical facility that stores electronic records. Our secure record exchange platform at ChartRequest can help.

We make it easy for authorized individuals to access their release of information while keeping bad actors away from sensitive data. Our encrypted database facilitates information exchange in secure SOC 2, HITRUST, and ISO 27001-certified workflows. We also utilize multi-factor authorization as an added layer of security.

Feel confident about your privacy and security by letting us manage your records in a safe electronic location. Are you unsure if this option is right for you? Our friendly ChartRequest representatives can help you explore your options with a comprehensive tech demo.