A rash of fraudulent requests to ROI companies have come from malicious actors posing as well-known national healthcare companies. Learn the red flags and become savvy to scams out there that can cause harmful consequences.

Why Is This Happening?

In the world of cybercrime, health records are big business. A lot of information is contained in that record – demographics, social security number, Medicare/Medicaid numbers, sometimes even financial information. These types of records are more lucrative for criminals than other types of data, like credit card numbers. According to Experian, a single patient record can sell for up to $1,000 on the black market, depending on how complete the record is. Millions of patient records are hacked every year, a figure that has been increasing since the pandemic began as healthcare systems became more vulnerable.

With the tremendous market for ill-gotten patient records out there, it is no wonder that ROI companies have become a target. Criminals know that employees are getting more savvy at recognizing fraudulent requests, which is why they constantly change tactics.

A new problem has surfaced that has been surprisingly widespread. Cybercriminals are now posing as well-known pharmacy names like CVS/Caremark, Walgreens, Johns Hopkins, Walmart, and Kroger to request patient records.

HIPAA laws typically restrict individuals and entities from obtaining unauthorized records of others without written permission. However, the law’s Treatment, Payment, and Healthcare Operations (TPO) exception allows covered healthcare entities, like pharmacies, to easily request information to help care for a patient, without needing a signature. ROI providers report that around 50% of requests fall under the TPO exception, however pharmacy requests are rare.

How Can I Tell if a Request is Fraudulent?

Safeguarding protected health information is a key focus of release of information (ROI) companies and the industry as a whole. With this latest subterfuge, it is important that ROI professionals learn the red flags to watch out for when processing requests.

The Association of Health Information Outsourcing Services (AHIOS) has identified the following identifying marks that indicate fraudulent requests:

  • Grammatical errors in the text such as missing periods, commas, and incorrect word usage.
  • The fax number and call-back phone number are from different area codes or countries. For example, a Canadian fax number with call-back number in Texas.
  • The call-back numbers frequently have an automated message with “the subscriber you’re trying to reach is unavailable” rather than an automated CVS (or other company) response.
  • There is a fake “HIPAA Compliant” tag or logo near the top of the page.
  • Some of them carry outdated company logos, such as an old “CVS Caremark” logo.
  • Examine signatures carefully. One example used the actual signature of Sarah Jessica Parker, the famous actress. Samuel L. Jackson has also been used. The signatures are obtained via an internet search and copied.

If you suspect that a request is fraudulent, it is best to do some validation by calling the number on the form. If this is unsuccessful, you can also contact the requesting company’s privacy officer.

For Walgreens and CVS/Caremark, you can reference the links and phone numbers below to verify authenticity: (provided by WHIMA.org)

  • Here is a link to the correct Walgreens Auth PHI form. The correct fax number is 217-554-8955.
  • Here is the link to the correct CVS form. Their correct fax number is 401-652-1593.

How Do I Report a Fraudulent Request?

First, if any of the red flags above are present and you cannot verify the authenticity of the request, you should report the issue internally to your company’s Privacy and Compliance department.

  • From there, the company will need to make a report to local law enforcement. You will likely need to provide the details and copies of the request(s). Make sure to remove any PHI from the form(s) or your notes.
  • The HHS Office of the Inspector General operates a hotline for tips and complaints about potential fraud. The information can be found here: https://oig.hhs.gov/fraud/report-fraud
  • The FBI also operates a healthcare fraud division. A report can be made at https://tips.fbi.gov.
  • Your company leaders should provide education to other employees so that any future fraudulent requests can also be rejected and reported.

RecordQuest Can Help

RecordQuest is dedicated to providing secure release of information services. We are trusted by healthcare organizations across the country to carefully guard against fraud and identity theft while we provide timely and professional services. For more information, book a demo with us to learn about our proactive solutions and cutting edge technology that can transform your ROI processes.

Start typing and press Enter to search