December 9, 2024

Social engineering scams target VUMC patient data

Social engineering is the (illegal) art of manipulating people to give up sensitive information.

VUMC staff with access to patient records should be on alert for remote social engineering attacks targeting patient data. Social engineering is the (illegal) art of manipulating people to give up sensitive information.

In this case, attackers may claim to represent a third-party healthcare institution with some relationship to a patient’s care at VUMC, such as a pharmacy, lab, durable medical equipment company, another hospital, urgent care or other specialty clinic.  These attacks have presented as fax-based, voice-based, or email-based attacks.

Some potential indicators of which to be aware:

· The attackers may already have some personal information about the patient, such as address and phone number, and in worse cases more sensitive information such as date of birth and/or Social Security Number.

· The attackers may send what looks like a valid order or request for a VUMC provider to sign that the provider was not expecting or is generic or vague without stating the specific information needed or the purpose of the request.  Some things to look for include:

· The email addresses, or phone and/or fax numbers provided may not match with the organization that the attacker claims to represent.  Look closely at them and then verify through the company’s legitimate website.

· When denied access to the VUMC patient data, the attackers may increase their calls or faxes or become frustrated or belligerent with staff.  If you are unsure if a phone call is really from the company it claims to be, call the number from the company’s legitimate website.  Do not call the number that initially called you or was provided on a fax or as part of an email.

In all cases, if the situation “just doesn’t seem right,” workforce members should follow their suspicions, consult a fellow staff member or manager for a second opinion, and/or report the situation and forward a copy of the request to the VUMC Privacy Office or VUMC Enterprise Cybersecurity for further review.