Healthcare Scams: What to Know and How to Avoid Them

Scammers use a lot of techniques to attempt to steal your information, money, or both. Our security expert shares how to spot a scam.

Jun. 19, 2024 6   min read

Latino man wearing glasses and short sleeve button down shirt talks into phone

Scams seem to be everywhere these days – the Internet, text messages, phone calls, and other places. Unfortunately, the people behind the scams are getting better at disguising their efforts and make it tough to know what might be real and what might be an attempt to take advantage of you.

We asked Marcelle Bicker, CISSP, a senior security compliance analyst with Rochester Regional Health, how to recognize healthcare scams, the best ways to avoid falling victim to them, and what to do if you realize you have been scammed.

Who is targeted in healthcare scams?

Scammers are looking to target everyone. It doesn’t matter if you are a patient, healthcare worker, an executive, or administrative assistant; a scam is designed to reach as many people as possible to maximize the amount of money that can be stolen.

There are some more targeted approaches that people with malicious intent can use to hook executives called business executive compromises (BECs). This centers around a scammer building a relationship with an executive assistant through regular email, text, or phone conversations that end with a request for something. This might look like posing as a trusted party such as a vendor or supplier.

“It is important to recognize that executives might have specific vulnerabilities that can be exploited because the potential payout is bigger,” Bicker said. “If a scammer can get an executive to cut a big check to someone, maliciously, that's much more lucrative.”

Common healthcare scams

Most healthcare scams will be text messages or emails designed to look like they are coming from your healthcare provider or their health system.

Text messages

Scam attempts over text messages will come in the form of a link to click, a practice known as phishing. The message might look like an alert to warn you, remind you about a payment, or tell you about some other urgent matter. The link is malicious and should not be clicked.

Other examples might include malicious QR codes, fake MyCare messages, or fake multifactor authentication prompts.

Phone calls

Especially with the rise of AI, phone call scams can be dangerous. Using AI to imitate a person’s voice is increasingly common, which can make determining if a call is a hoax or real even more difficult.

Scammers can also use phone number masking to make a call appear as though it’s coming from a legitimate healthcare location, like a doctor’s office or hospital.

Email messages

Like text scams, email phishing attempts will ask you to open an attachment or click a link. Emails might look like they are coming from a sender whose name you recognize, but the domain is fake (ex.: rochester-regional.com instead of rochesterregional.org).

Other fraudulent email messages might come in the form of malicious calendar invites, fake MyCare messages, or false multifactor authentication prompts. Being aware at all times is very important to avoiding falling victim to these fake messages.

“Phishing emails can have very serious consequences, like bringing down an IT network environment or stealing patient data,” Bicker said.

How to tell the difference between a scam and a real message

The best way to be prepared in case of a scam is to be aware of who your emails are coming from. You can do this in a few ways.

Know your domains: An email message might be written to look like it’s coming from someone you know, but a closer look at the domain of the email address or website links inside the message itself might make you think twice. The domain is the part of the address after the @ symbol.

Out of the blue: Ask yourself is, “Am I expecting this email?” An email about a follow-up appointment or a text message about making a payment for a recent visit when you haven’t had a recent provider visit should raise a red flag.

Beware of urgency: If the message is trying to get you to do something quickly, this should warrant caution. This is especially true if there is an attachment or link within the message. If a message seems urgent, it is should be investigated further before acting on it.

If you are unsure about whether a text, email, or phone message is real, use an independent, trusted phone number or website to contact the source directly. Learn if the message you received can be trusted before taking any action.

A good practice is to cut and paste any suspicious web address into a browser search bar to inspect the address further before visiting the website. Don’t press ‘enter’ until you are sure it is safe.

Rochester Regional Health may request personal information for billing or payment purposes, but you have the right to decline. Otherwise, we will only contact you to:

  • confirm appointments
  • complete pre-appointment check-ins
  • offer financial assistance or payment resolution options, but not with a sense of urgency or threats

Any questions about billing, insurance, or finances can be explored on our Billing & Insurance page or discussed with our financial assistance team at (585) 922-1900.

If you have been scammed

If you are on a work computer and fell victim to a scam, call your IT Service Desk. They can recommend the best course of action and tell you what to do next.

For health system patients who believe they may have fallen victim to a scam, there are a few things you can do:

  • Check your antivirus software in case someone tried to install something on your computer
  • Keep track of your credit score and bank account
  • Change your password immediately
  • Report your scam to the FTC or the NY Attorney General’s Office