WASHINGTON, D.C. (September 27, 2022)—The Department of Health and Human Services’ (HHS) Health Sector Cybersecurity Coordination Center (HC3) has alerted the health care industry to a monkeypox-themed phishing campaign targeting health care providers, including home health agencies. Health care companies that fail to adequately protect their patient's private health information and violate the Health Insurance Portability and Accountability Act (HIPAA) could face fines from the Office of Civil Rights and/or prosecution from their state attorney general's office.

In the alert, HC3 said the phishing attempt carried a subject of “Data from (Victim Organization Abbreviation): "Important read about -Monkey Pox– (Victim Organization) (Reference Number)." If someone tries to download the attached pdf, it launches a program that tries to harvest Outlook, O365 or other mail credentials.

The alert recommends organizations implement certain protective actions such as:

  • Protect each account with complex, unique passwords. Use a passphrase and/or a complex combination of letters, numbers, and symbols.
  • In general, avoid opening unsolicited emails from senders you do not know.
  • Do not open a link or an attachment in an email unless you’re confident it comes from a legitimate source.
  • Do not download or install programs if you do not have complete trust in the publisher.
  • Do not visit unsafe websites and do not click on pop-up windows that promise free programs that perform useful tasks.

“This alert reminds us that our cyber adversaries, foreign-based criminal gangs and hostile nation-state intelligence services, continue to prey on our culture of care by sending phishing emails based upon current urgent health care issues,” said John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk. “These insidious emails targeting well-intentioned health care workers lure the recipients to click on malicious links, download malware and provide credentials, ultimately leading to the theft of patient data or hospital funds.”

“Last week, the FBI issued an alert identifying a scheme in which stolen employee credentials were being used to divert and steal millions of dollars in hospital funds,” Riggi continued. “In this multi-faceted and complex cyber threat environment, multi-factor authentication, phishing tests and verbal authentication for payment instruction changes are essential.”

Read more about protecting your business from cyber threats here.