Kusserow on Compliance: Arrest of the University of Pittsburgh Medical Center hacker

An individual was indicted by a federal grand jury in Pittsburgh and arrested on charges associated with the 2014 “hacking” theft of University of Pittsburgh Medical Center (UPMC) human resources database that included personally identifiable information (PII) of over 65,000 UPMC employees. He was charged with fraud, aggravated identity theft, and selling of the information on the dark web to buyers around the world. The buyers, in turn, engaged in massive campaign of further scams and theft, including the filing of thousands of false IRS tax returns, leading to $1.7 million in false tax return refunds.

Additionally, the indictment alleges that the hacker, from 2014 through 2017, using the acronyms “TDS” or “DS,” regularly sold other PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud. According to the Indictment, the hacker sold the stolen information on dark web forums for use by conspirators, who promptly filed hundreds of false tax return Form-1040 using UPMC employee PII. These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela. The case was investigated by the Secret Service, IRS, and Postal Inspection Service. As a side note, six years ago, the case resulted in a major legal battle after employees sued UPMC for negligence and breach of contract. The state high court also ruled that UPMC may be responsible monetary damages if the plaintiffs can prove the health system acted negligently.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: FBI’s latest report on efforts to curb cyber-crimes

The FBI’s Internet Crime Complaint Center (IC3) was created to gather data on a new but rapidly growing type of crime. In its first full year of operation, the center received 50,000 complaints that has grown to over 5 million reports of thefts, scams, frauds, and other crimes with an online nexus, resulting in over $10 billion in losses since 2015 alone. In its report, the FBI made note that threat mitigation is its top priority regarding cyber-crime. The IC3 has allowed for increased reporting and information sharing, which often prevents further victimization, and enables accountability.

The crimes catalogued by the IC3 have mirrored the evolution of the web across two decades, including the growth in sophistication of crimes as well as the number of crimes as the web has become a central feature of daily life. In the first full year of IC3 reporting, the most commonly reported crimes included internet auction fraud, non-delivery schemes, advance payment schemes, and credit card fraud. Since then, threats have evolved into more destructive and costly data breaches and network intrusions, ransomware, romance scams, and sophisticated financial crimes such as business email compromise. Scammers are ready to exploit various tragedies and disasters, such as Hurricanes Rita and Katrina, and the Boston bombings.

During the current COVID-19 pandemic crisis, scammers are working overtime with fake cures, investments schemes, selling personal protective equipment without the inventory on hand, and looking to take advantage of a more concentrated online presence during a time of increased telework and distance learning. Criminals are exploiting a public health emergency to steal from and deceive people who are vulnerable, worried, or seeking vital supplies and assistance.

In 2018, there was the creation of the FBI’s Recovery Asset Team (RAT) to streamline communication between financial institutions and FBI field offices to prevent criminals from successfully obtaining funds through fraudulent transactions. The RAT effectively recovered over $300 million in 2019 alone. Last year, the RAT, along with IC3’s Recovery and Investigative Development (RAID) team, brought together law enforcement and financial institutions to share data to gain a better understanding of the networks and methods used by cyber fraudsters resulting in the enhanced ability to identify criminals.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: FBI reports rise in schemes involving the COVID-19 pandemic

The FBI reported that fraudsters are taking advantage of COVID-19 pandemic to steal your money, personal information, or both. Fraudsters see a vulnerable population scared and looking for help to protect themselves and their families. They are increasingly resourceful and view the current crisis as an opportunity to advance their schemes. Today, many are looking for medical attention, equipment, and supplies. As a result, a new fraud threat involves fake cures or treatments for the virus, many of which can be extremely dangerous or even fatal.

People who are at home and out of work are vulnerable to work-from-home scams where up-front money is requested—such requests are not something a legitimate employer does. One of the most prevalent schemes is where criminals make contacts pretending to be from the government to require mandatory COVID 19 testing in order to gain personal information, money, or to hack into a computer. Other scams involve acquiring personal information under the pretense of determining eligibility to receive government benefits. In some cases, fraudsters are even going door-to-door to try to convince individuals that they need to provide money for COVID-19 testing, financial relief, or medical equipment. The FBI has teams of agents working on these cases and have arrested and filed charges against many engaging in these crimes. They FBI advises everyone to be on the lookout for the following “red flags” involved in email contacts:

  • Unexplained urgency
  • Last minute changes in wire instructions or recipient account information
  • Last minute changes in established communication platforms or email account addresses
  • Communications only in email and refusal to communicate via phone or video
  • Requests for advanced payment of services when not previously required
  • Requests from employees to change direct deposit information

The following tips have been offered to help protect against these schemes:

  1. Be very wary of any attachments or links.
  2. Be suspicious of anyone offering you something that’s “too good to be true”
  3. Beware of contacts purporting to be a government agency requiring taking a COVID-19 test
  4. Beware of individuals offering to sell you a COVID-19 test kit or supplies
  5. Beware of medical professionals requesting payment for treating a friend or relative
  6. Be skeptical of last-minute changes in wiring instructions or recipient account information
  7. Verify addresses of emails from those you know; it may be just one letter difference
  8. Never contact a vendor solicitation via the number provided in the email
  9. Ensure URL in emails is exactly as seen in the past for the business it claims to be from
  10. Be alert to hyperlinks that may contain misspellings of the actual domain name
  11. Accept a medical treatment or virus test only from known doctor or pharmacist
  12. Use extreme caution in online communication
  13. Seek out legitimate sources of information and not accept what is sent without request

For more information, the HHS OIG issued a COVID-19 Fraud Alert Video to warn about several health care fraud scams.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Increase guard on cybersecurity during COVID-19 pandemic

Many health care organizations are facing attacks by cyber-criminals who are using the COVID-19 crisis to get individuals to be less vigilant about security. Hackers are taking advantage of the fears and uncertainty about the pandemic to gain access to systems through malware. These hackers impersonate health authorities such as NIH, CDC, and FDA to get individuals to open attachments that purportedly have important information on the spread of the disease, lockdowns, and quarantine. These new phishing scams have been rapidly spreading during the crisis. As organizations move to expanded teleworking, the vulnerabilities to such attacks greatly increase. As new systems are being introduced for remote working, steps need to be taken to ensure that security and privacy controls are in place. This is particularly important because employees may lower their guard when introduced to new unfamiliar communication methods. Even government agencies are subject to attack. HHS had a cyber-attack on its computer system, intended to disrupt and undermine the response to the coronavirus pandemic. The attack involved overloading the HHS servers with millions of hits over several hours in order to impair operation of the systems. Fortunately, HHS had no degradation of the functioning of its networks.

Tips and Reminders

  1. Alert employees to beware of COVID-19 communications
  2. Re-educate employees on phishing and social engineering defense tactics
  3. Remind employees to not click on email links/attachment, or respond to inquiries
  4. Review third-party vendors’ access to information systems
  5. Authenticate access, particularly as more employees work remotely
  6. Regularly test users to make sure they are on guard
  7. Configure email servers to block zip or other files that are likely to be malicious
  8. Monitor those accessing sensitive data

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.