Healthcare Breaches Give Fraudsters New Tools for ‘Targeted’ Crowdfunding Scams

It’s well known that fraudsters are nothing if not creative and cunning as they continually seek to prey on the most basic human traits of altruism and sympathy.

There are few things more despicable than those who scam the most vulnerable among us or use their stories of hardship and pain to perpetuate schemes to defraud other caring people to help them out.

Picture a GoFundMe page that seeks donations for someone afflicted with a rare or life-threatening medical situation — with a real person featured, with real-life details as to where they live, treatments undergone, the money needed for those treatments and hospitals visited. The donations come pouring in, from friends and family members, strangers too — only to be siphoned away by bad actors, successful in exploiting the impulse to help first, ask questions later.

To that end, Featurespace Founder Dave Excell told Karen Webster that our most sensitive data — well beyond the confines of bank accounts and credit card numbers — are being ferreted out by fraudsters in nefarious ways. At a high level, he said, “there’s all sorts of personal information that can be used not just against the individual — but also their families.”

That means fraud management (on the part of financial institutions and healthcare firms) itself is ripe for a retooling, he told Webster, toward a policy where the individuals/patients themselves take ownership of their healthcare information and their online identities overall.

Broward Breach in Focus

The conversation came amid a backdrop in which the Broward Health hospital system disclosed on New Year’s Day that it had notified 1.3 million patients that their personal information was exposed in a data breach dating back to Oct. 15. The compromised data included names, addresses, phone numbers, Social Security numbers, bank account information and medical history data.

The hacker(s) reportedly accessed the hospital’s network from the office of a third-party medical provider.

Read more: Florida’s Broward Health Hit by Data Breach of 1.3M Patients’ Records

In terms of scale, the Broward hack pales in comparison to, say, breaches of telecom providers or credit reporting giant Experian. But Excell noted that the information that is contained within a medical record represents some attractive targets for fraudsters.

The more detail there is to work with, he said, “the more nuanced and sophisticated the fraudsters can be in targeting their attacks.”

We’re rapidly moving away from the age of online scams that function as blanket or even mass market communications that seek to snare as many victims as possible. Excell told Webster that, with the medical data in hand, cyber criminals can craft attack vectors that exist as “targeted” schemes — taking aim at potential victims who may have a certain type of disease, for example, leveraging social media to contact friends and family of the individual whose data has been compromised.

The most brazen scammers might even telephone grandparents or other close relatives and direct them to send money to accounts at a neobank (or create synthetic IDs) to help funnel away the funds — sidestepping the know your customer (KYC) protocols of the crowdfunding sites (and Broward’s own announcement that it had set up credit monitoring and ID theft protection through Experian).

“The fraudsters might say something like, ‘We’re about to treat this person — they need this operation,’ and put a lot of pressure on the victim to make that payment happen,” said Excell.

The donors — again, with family members among them — don’t know they’ve been scammed until further down the line.

Other Avenues of Attack

Excell stated there are other ways fraudsters are crafting new means of attack. He pointed to recent scams in the U.S. in which fraudsters have siphoned information from bail bond shops — then contacted family members to make payments on those bonds. (The payments of course were steered to other accounts.) Exploiting sensitive situations with high-pressure tactics and stoking shame or fear can be a successful way to bilk tens of thousands of dollars from victims, even through blackmail, he said — and the fraud may never be reported as emotions run high.

“You just make the payment amid the adrenaline rush, and it’s only later that you realized that something wasn’t quite right,” Excell said.

There will be no end to the waves of fraud attacks that seek to use sensitive information in new ways. Once compromised, said Excell, “this information lives on forever. Your medical history doesn’t change — it’s like your fingerprints. Once that information is ‘out there,’ it can be used in different ways.”

The Log4J software flaw that came to light last month also offers vulnerability for hackers to exploit, and the data they harness can be hoarded for years until the time is right to strike.

The aspirational goal, then, in retooling fraud management is to be confident — no matter the transaction — in who you are communicating with and where you are receiving information. It’s critical for financial institutions (FIs) to take an extra step and verify information before someone’s money goes out the proverbial door.

Machine learning platforms (Featurespace’s among them) can access, organize and analyze data of FI customers that might be more susceptible to being scammed. There’s also potentially more sharing that can help banks identify and alert targeted victims and family members and pinpoint unusual transactions. The transmission of sensitive data, particularly healthcare information, could be made more reassuring with signifiers akin to that “little lock sign” that lets us know that email is encrypted. That incoming phone or text or email from the doctor or the police station requesting a bail bond can thus be verified and trusted, noted Excell.

He predicted there will be a shift ahead, where sensitive medical information might be owned by the individuals themselves rather than simply residing within the doctor or hospital’s back-office systems (or the stacks of folders that line the office walls).

“You’d grant access to the doctor when they need to see it rather than them being the custodians of that data,” he said.