A rash of fraudulent requests to ROI companies have come from malicious actors posing as well-known national healthcare companies. Learn the red flags and become savvy to scams out there that can cause harmful consequences.
In the world of cybercrime, health records are big business. A lot of information is contained in that record – demographics, social security number, Medicare/Medicaid numbers, sometimes even financial information. These types of records are more lucrative for criminals than other types of data, like credit card numbers. According to Experian, a single patient record can sell for up to $1,000 on the black market, depending on how complete the record is. Millions of patient records are hacked every year, a figure that has been increasing since the pandemic began as healthcare systems became more vulnerable.
With the tremendous market for ill-gotten patient records out there, it is no wonder that ROI companies have become a target. Criminals know that employees are getting more savvy at recognizing fraudulent requests, which is why they constantly change tactics.
A new problem has surfaced that has been surprisingly widespread. Cybercriminals are now posing as well-known pharmacy names like CVS/Caremark, Walgreens, Johns Hopkins, Walmart, and Kroger to request patient records.
HIPAA laws typically restrict individuals and entities from obtaining unauthorized records of others without written permission. However, the law’s Treatment, Payment, and Healthcare Operations (TPO) exception allows covered healthcare entities, like pharmacies, to easily request information to help care for a patient, without needing a signature. ROI providers report that around 50% of requests fall under the TPO exception, however pharmacy requests are rare.
Safeguarding protected health information is a key focus of release of information (ROI) companies and the industry as a whole. With this latest subterfuge, it is important that ROI professionals learn the red flags to watch out for when processing requests.
The Association of Health Information Outsourcing Services (AHIOS) has identified the following identifying marks that indicate fraudulent requests:
If you suspect that a request is fraudulent, it is best to do some validation by calling the number on the form. If this is unsuccessful, you can also contact the requesting company’s privacy officer.
For Walgreens and CVS/Caremark, you can reference the links and phone numbers below to verify authenticity: (provided by WHIMA.org)
First, if any of the red flags above are present and you cannot verify the authenticity of the request, you should report the issue internally to your company’s Privacy and Compliance department.
RecordQuest is dedicated to providing secure release of information services. We are trusted by healthcare organizations across the country to carefully guard against fraud and identity theft while we provide timely and professional services. For more information, book a demo with us to learn about our proactive solutions and cutting edge technology that can transform your ROI processes.