Report: Hackers Scammed $7.5M From HHS Grant Payment SystemMoney Meant for Poor Communities Stolen as Authorities Issued Phishing Scam Alerts
Hackers have reportedly stolen about $7.5 million from a Department of Health and Human Services grant payment system in a series of cyberattacks last year that included spear-phishing incidents. The revelation comes in the wake of recent alerts by HHS and other authorities about rising threats involving social engineering and payment scams targeting the healthcare sector.
The HHS cyber heists, which occurred between late March and mid-November 2023, targeted an HHS system - Payment Management Services - that processes civilian grant payments. Attackers withdrew millions of dollars intended to be awarded to five accounts, including money meant to support rural communities and underserved patients, according to reporting last week by news outlet Bloomberg.
In at least one of the most recent attacks, HHS concluded that bad actors had gained access to the grantees' domain email accounts and had used spear-phishing emails to fool U.S. payment workers into providing access to the grantees' accounts, Bloomberg said.
HHS reported the incidents to HHS' Office of Inspector General, which investigates fraud and abuse at the department.
An HHS spokeswoman in a statement to Information Security Media Group said: "This matter has been referred to the OIG. As federal stewards of the taxpayer dollar, we take this issue with the utmost importance." HHS did not immediately respond to ISMG's request for additional details about the incidents.
An HHS OIG spokeswoman told ISMG the watchdog agency can neither confirm nor deny the existence of an investigation and that it had no further information to provide.
The alleged incidents have delayed payments to the intended grant award recipients, including HHS' Health Resources and Services Administration, which was supposed to receive $1.5 million of the $7.5 million stolen by the hackers, Bloomberg reported.
HHS HRSA provides programs for under-served communities, including low-income families, individuals with HIV, pregnant women, children, patients in rural areas, and transplant patients. HHS HRSA did not immediately respond to ISMG's request for comment.
Phishing Warnings Fall Short
HHS' Office for Civil Rights is the federal government's chief regulatory agency for the healthcare industry, charged with enforcing patient privacy violations. The agency routinely provides guidance on cybersecurity best practices and last year collected nearly $4.2 million in HIPAA fines as part of a dozen resolution agreements with hospitals, doctors groups and their business associates.
Ironically, one of those settlements included the agency's first HIPAA enforcement action for a breach centered on a phishing attack. In that case, Louisiana-based Lafourche Medical Group, an urgent care clinic, paid a $480,000 fine and agreed to implement a corrective action plan to resolve potential HIPAA violations involving an email phishing breach reported in 2021 that compromised the electronic protected health information of nearly 35,000 individuals (see: Feds Levy First-Ever HIPAA Fine for a Phishing Breach).
And in October - apparently while HHS was in the midst of the attacks involving the grant payment scams - HHS' Health Sector Cybersecurity Coordination Center issued an alert warning the healthcare sector of rising threats posed by AI-augmented phishing, including those attempting financial fraud.
This month, the American Hospital Association issued an alert to its members warning about social engineering schemes targeting hospital IT help desk workers with payment fraud scams involving stolen credentials from billing and payments employees (see: AHA: Rise in Scams Targeting Help Desks for Payment Fraud).
"AI-driven advancements in social engineering, particularly phishing, are making it challenging to differentiate between legitimate and malicious actors," said Jon Moore, chief risk officer at privacy and security consultancy Clearwater.
Heightened geopolitical tensions - especially involving countries such as the U.S., China, Russia and Iran - raise the risk of such attacks being used by sophisticated threat actors to target critical infrastructure, including the healthcare sector, he said.
"These attacks may serve purposes beyond theft, including disruption, sabotage and as components of broader political or military strategies. In such scenarios, critical infrastructure becomes a focal point of potential cyberthreats and, very quickly, lives may be placed at risk."
HHS apparently falling victim to spear-phishing and related schemes also underscores that no entity or individual is immune to these sorts of attacks, Moore said.
"It is important to understand the risk associated with each of your information assets and to implement security safeguards to effectively manage that risk," he said. "People are often our weakest link, and therefore we need to take that into consideration when planning system security. Training is good and necessary, however, that is not enough, and layers of security need to be considered," he said.
Mike Britton, CISO of security firm Abnormal Security, said government agencies such as HHS often have to deal with additional risk factors in fending off potential cyberattackers and other fraudsters.
Because HHS grants involve federal funds, information about them is publicly available online, Britton said. "The HHS often publicizes who their grant funding recipients are, or information could be exposed through public board meetings or grant funding requests. With this information, cybercriminals can easily identify high-value targets and source information to launch targeted social engineering attacks," he said.
"Healthcare organizations overall have always been attractive targets to threat actors, considering the masses of valuable data they house and the need to keep their operations up and running at all times," Britton said. "These kinds of attacks aren’t likely to slow down anytime soon and are particularly devastating when you consider that the recipients for many of these funding programs provide services to some of the most vulnerable patient communities."
Moore suggests that entities take steps to ensure that payment systems and processes have robust security measures in place, including multifactor authentication for financial transactions and real-time monitoring and anomaly detection systems that can identify unusual payment requests or patterns.
"Organizations should require out-of-band verification for significant or unusual financial transactions," he said.
"This could involve making a phone call or using a separate communication channel to confirm payment requests. Organizations may also consider the use of secure communication channels for discussing sensitive financial matters or payment approvals, such as encrypted messaging apps or secure video conferencing tools."
As the threat level for AI-augmented phishing and other scams rises, AI-based security solutions potentially could help put healthcare organizations in a better position to keep up with - and stay ahead of - these evolving email attacks, Britton said.
That includes products that are designed to determine a baseline of users' typical email behaviors and then detect deviations from the norm, which may indicate a potential attack. "This means that even if cybercriminals launch a perfectly written and personalized email attack, sent from a legitimate compromised domain and with no other indicators of compromise, the solution will still be able to pick up signals of malicious intent," he said.