Threat Intel Solutions

#### [Cyber-crime](/security/cyber_crime/)**1** Crims are posing as insurance companies to steal health records and payment info================================================================================**1** Taking advantage of the ridiculously complex US healthcare billing system————————————————————————-[Jessica Lyons](/Author/Jessica-Lyons ‘Read more by this author’) Fri 27 Jun 2025 // 22:59 UTC [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Crims%20are%20posing%20as%20insurance%20companies%20to%20steal%20health%20records%20and%20payment%20info) [](https://twitter.com/intent/tweet?text=Crims%20are%20posing%20as%20insurance%20companies%20to%20steal%20health%20records%20and%20payment%20info&url=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Crims%20are%20posing%20as%20insurance%20companies%20to%20steal%20health%20records%20and%20payment%20info&summary=Taking%20advantage%20of%20the%20ridiculously%20complex%20US%20healthcare%20billing%20system) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) Criminals masquerading as insurers are tricking patients and healthcare providers into handing over medical records and bank account information via emails and text messages, according to the FBI.In a Friday security alert, the federal cops warned the public to be on the lookout for emails and texts purporting to come from health insurers and claims investigators. Criminals are sending these messages to both patients and healthcare providers alike in this latest healthcare fraud scheme.’The messages are designed to pressure victims into disclosing protected health information, medical records, personal financial details, or providing reimbursements for alleged service overpayments or non-covered services,’ the FBI [warned](https://www.ic3.gov/PSA/2025/PSA250627). Errol Weiss, chief security officer of the Health Information Sharing and Analysis Center (Health-ISAC), said his nonprofit’s members have also reported an increase in phishing and social-engineering scams targeting healthcare organizations, similar to those detailed in the FBI’s alert.  ’These incidents often involve adversaries impersonating trusted entities, such as government organizations or established global brand names to deceive people into divulging sensitive information,’ Weiss told *The Register*. ‘The healthcare sector, with its complex billing and procurement processes, unfortunately presents a rich target for this kind of financial fraud.’Criminals frequently use previously leaked data to make their social-engineering attacks more believable, he added. ’They use stolen information — anything from a partial SSN to the details of a recent vendor transaction — to build a false sense of trust with their target,’ Weiss said. ‘It’s a classic confidence trick, where a few ‘secret’ details are used to convince an employee that the entire request is legitimate.’> My advice is verify, verify, verify: The single most effective defense is to verify requests out-of-bandWhile the FBI hasn’t blamed these attacks on a particular individual or criminal organization — *The Register* asked about attribution, and the bureau declined to comment — Weiss said the tactics observed indicate ‘well-organized, financially motivated cybercriminal groups and, in some cases, cash-hungry state-sponsored actors like North Korea.”These aren’t casual hackers,’ he added. ‘They are sophisticated operations that invest time in reconnaissance to make their fraudulent requests appear as legitimate as possible. Their primary goal is direct financial theft through fraudulent wire transfers and payments.’* [Qilin ransomware attack on NHS supplier contributed to patient fatality](https://www.theregister.com/2025/06/26/qilin_ransomware_nhs_death/)* [Second attack on McLaren Health Care in a year affects 743k people](https://www.theregister.com/2025/06/23/second_suspected_ransomware_attack_on/)* [Ransomware scum leak patient data after disrupting chemo treatments at Kettering](https://www.theregister.com/2025/06/04/ransomware_scum_leak_kettering_patient_data/)* [Healthcare group Ascension discloses second cyberattack on patients’ data](https://www.theregister.com/2025/05/01/ascension_cyberattack/)To avoid falling victim to this type of healthcare fraud, the FBI urges people to be wary of unsolicited messages and calls requesting personal information.Of course, some bills that patients receive from their healthcare providers and calls from insurance adjusters arrive without warning, so it’s a good idea to contact providers directly to verify the legitimacy of any messages before sharing personal or health information.’Historically, we’ve been warning people about emails that have a sense of urgency, contain grammatical errors or use an uncommon choice of words — but the cybercriminals are leveraging AI, so their email scams are harder to spot nowadays,’ Weiss said.’My advice is verify, verify, verify: The single most effective defense is to verify requests out-of-band,’ he continued. ‘If you receive an email or text message asking to change payment information or make an urgent, unexpected payment, do not reply to the email or text message, and do not use contact information from it. Instead, pick up the phone and call your established contact at that vendor using a trusted phone number from your own records.’ ® [Sponsored: How to bridge the MFA gap](https://go.theregister.com/tl/3205/shttps://www.theregister.com/2025/06/18/specops_how_to_bridge_mfa_gap/) Share [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Crims%20are%20posing%20as%20insurance%20companies%20to%20steal%20health%20records%20and%20payment%20info) [](https://twitter.com/intent/tweet?text=Crims%20are%20posing%20as%20insurance%20companies%20to%20steal%20health%20records%20and%20payment%20info&url=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Crims%20are%20posing%20as%20insurance%20companies%20to%20steal%20health%20records%20and%20payment%20info&summary=Taking%20advantage%20of%20the%20ridiculously%20complex%20US%20healthcare%20billing%20system) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) #### More about* [Cybercrime](/Tag/Cybercrime/)* [Healthcare](/Tag/Healthcare/)* [Security](/Tag/Security/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Healthcare](/Tag/Healthcare/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Pfizer](/Tag/Pfizer/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### More aboutShare [](https://www.reddit.com/submit?url=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dreddit&title=Crims%20are%20posing%20as%20insurance%20companies%20to%20steal%20health%20records%20and%20payment%20info) [](https://twitter.com/intent/tweet?text=Crims%20are%20posing%20as%20insurance%20companies%20to%20steal%20health%20records%20and%20payment%20info&url=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dtwitter&via=theregister) [](https://www.facebook.com/dialog/feed?app_id=1404095453459035&display=popup&link=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dfacebook) [](https://www.linkedin.com/shareArticle?mini=true&url=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dlinkedin&title=Crims%20are%20posing%20as%20insurance%20companies%20to%20steal%20health%20records%20and%20payment%20info&summary=Taking%20advantage%20of%20the%20ridiculously%20complex%20US%20healthcare%20billing%20system) [](https://api.whatsapp.com/send?text=https://www.theregister.com/2025/06/27/patients_providers_records_payment_scam/%3futm_medium%3dshare%26utm_content%3darticle%26utm_source%3dwhatsapp) **1** COMMENTS #### More about* [Cybercrime](/Tag/Cybercrime/)* [Healthcare](/Tag/Healthcare/)* [Security](/Tag/Security/) More like these × ### More about* [Cybercrime](/Tag/Cybercrime/)* [Healthcare](/Tag/Healthcare/)* [Security](/Tag/Security/) ### Narrower topics* [2FA](/Tag/2FA/)* [Advanced persistent threat](/Tag/Advanced%20persistent%20threat/)* [Application Delivery Controller](/Tag/Application%20Delivery%20Controller/)* [Authentication](/Tag/Authentication/)* [BEC](/Tag/BEC/)* [Black Hat](/Tag/Black%20Hat/)* [BSides](/Tag/BSides/)* [Bug Bounty](/Tag/Bug%20Bounty/)* [CHERI](/Tag/CHERI/)* [CISO](/Tag/CISO/)* [Common Vulnerability Scoring System](/Tag/Common%20Vulnerability%20Scoring%20System/)* [Cybersecurity](/Tag/Cybersecurity/)* [Cybersecurity and Infrastructure Security Agency](/Tag/Cybersecurity%20and%20Infrastructure%20Security%20Agency/)* [Cybersecurity Information Sharing Act](/Tag/Cybersecurity%20Information%20Sharing%20Act/)* [Data Breach](/Tag/Data%20Breach/)* [Data Protection](/Tag/Data%20Protection/)* [Data Theft](/Tag/Data%20Theft/)* [DDoS](/Tag/DDoS/)* [DEF CON](/Tag/DEF%20CON/)* [Digital certificate](/Tag/Digital%20certificate/)* [Encryption](/Tag/Encryption/)* [End Point Protection](/Tag/End%20Point%20Protection/)* [Exploit](/Tag/Exploit/)* [Firewall](/Tag/Firewall/)* [Hacker](/Tag/Hacker/)* [Hacking](/Tag/Hacking/)* [Hacktivism](/Tag/Hacktivism/)* [Identity Theft](/Tag/Identity%20Theft/)* [Incident response](/Tag/Incident%20response/)* [Infosec](/Tag/Infosec/)* [Infrastructure Security](/Tag/Infrastructure%20Security/)* [Kenna Security](/Tag/Kenna%20Security/)* [NCSAM](/Tag/NCSAM/)* [NCSC](/Tag/NCSC/)* [Palo Alto Networks](/Tag/Palo%20Alto%20Networks/)* [Password](/Tag/Password/)* [Personally Identifiable Information](/Tag/Personally%20Identifiable%20Information/)* [Pfizer](/Tag/Pfizer/)* [Phishing](/Tag/Phishing/)* [Quantum key distribution](/Tag/Quantum%20key%20distribution/)* [Ransomware](/Tag/Ransomware/)* [Remote Access Trojan](/Tag/Remote%20Access%20Trojan/)* [REvil](/Tag/REvil/)* [RSA Conference](/Tag/RSA%20Conference/)* [Spamming](/Tag/Spamming/)* [Spyware](/Tag/Spyware/)* [Surveillance](/Tag/Surveillance/)* [TLS](/Tag/TLS/)* [Trojan](/Tag/Trojan/)* [Trusted Platform Module](/Tag/Trusted%20Platform%20Module/)* [Vulnerability](/Tag/Vulnerability/)* [Wannacry](/Tag/Wannacry/)* [Zero trust](/Tag/Zero%20trust/) #### TIP US OFF[Send us news](https://www.theregister.com/Profile/contact/)[#### Remorseless extortionists claim to have stolen thousands of files from Freedman HealthCareUPDATED The group has previously threatened to SWAT cancer patients and leaked pre-op plastic surgery photosCyber-crime12 days -|](/2025/06/16/extortionists_claim_freedman_healthcare_hack/?td=keepreading) [#### Second attack on McLaren Health Care in a year affects 743k peopleCriminals targeted the hospital and physician network’s Detroit cancer clinic this timeCyber-crime5 days -| 1](/2025/06/23/second_suspected_ransomware_attack_on/?td=keepreading) [#### Iran cyberattacks against US biz more likely following air strikesPlus ‘low-level’ hacktivist attemptsCyber-crime5 days -| 32](/2025/06/23/iran_cyberattacks_against_us/?td=keepreading) [#### Why rapid proliferation of cloud native apps requires faster, more efficient toolsetsKubernetes enables easy, rapid AI app development, making it the industry standard for AI workloadsSponsored feature](/2025/05/13/nutanix_cloud_native_ai_apps/?td=keepreading) [#### Looks like Aflac is the latest insurance giant snagged in Scattered Spider’s webIf it looks like a duck and walks like a duck…Cyber-crime8 days -| 5](/2025/06/20/aflac_scattered_spider/?td=keepreading) [#### Aloha, you’ve been pwned: Hawaiian Airlines discloses ‘cybersecurity event’update ‘No impact on safety,’ FAA tells *The Reg*Cyber-crime17 hrs -|](/2025/06/27/aloha_youve_been_pwned_hawaiian/?td=keepreading) [#### FBI used bitcoin wallet records to peg notorious IntelBroker as UK nationalPro tip: Don’t use your personal email account on BreachForumsCyber-crime2 days -| 21](/2025/06/26/fbi_used_bitcoin_wallet_id_intelbroker/?td=keepreading) [#### Typhoon-like gang slinging TLS certificate ‘signed’ by the Los Angeles Police DepartmentChinese crew built 1,000+ device network that runs on home devices then targets critical infrastructureSecurity4 days -| 11](/2025/06/23/lapdog_orb_network_attack_campaign/?td=keepreading) [#### Netflix, Apple, BofA websites hijacked with fake help-desk numbersDon’t trust mystery digits popping up in your search barCyber-crime8 days -| 14](/2025/06/20/netflix_apple_bofa_websites_hijacked/?td=keepreading) [#### Sneaky Serpentine#Cloud slithers through Cloudflare tunnels to inject orgs with Python-based malwarePhishing, Python and RATs, oh myCyber-crime9 days -| 2](/2025/06/19/sneaky_serpentinecloud_slithers_through_cloudflare/?td=keepreading) [#### That WhatsApp from an Israeli infosec expert could be a Iranian phishCharming Kitten unsheathes its claws and tries to catch credentialsCyber-crime2 days -| 2](/2025/06/26/that_whatsapp_from_an_israeli/?td=keepreading) [#### Beware of fake SonicWall VPN app that steals users’ credentialsA good reminder not to download apps from non-vendor sitesCyber-crime4 days -| 1](/2025/06/24/unknown_crims_using_hacked_sonicwall/?td=keepreading)

Related Tags:
Mint Sandstorm

NAICS: 524 – Insurance Carriers And Related Activities

NAICS: 621 – Ambulatory Health Care Services

NAICS: 62 – Health Care And Social Assistance

NAICS: 623 – Nursing And Residential Care Facilities

NAICS: 52 – Finance And Insurance

NAICS: 622 – Hospitals

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Associated Indicators: