Legal Team Update: Beware! Scammers Steal Funds from Department of Health and Human Services (HHS) Grant Recipients
by Elizabeth “Issie” Karan, Karan Legal Group, Hemophilia Alliance Legal Counsel

Last week, news outlets reported that hackers gained access to the Payment Management Services (PMS) system utilized by HHS to process civilian grant payments and, from late March to mid-November, these hackers withdrew about $7.5 million intended to be awarded to five accounts. According to anonymous sources, the hackers have not been identified by federal authorities and the intended grantees still have not received their awards.

We regularly hear from IT experts, including those on the Alliance team like Kiet, that cybersecurity must be a priority for organizations. Yet, the risks still feel abstract and difficult to quantify. The latest attack on the government brings the chickens home to roost for Hemophilia Treatment Centers Regional grantees who utilize PMS to draw down grant funds.

The HHS’s Office of Information Security and the Health Sector Cybersecurity Coordination Center (HC3) reports that ransomware and data breaches were the most common cyberattacks in health care and often begin with a successful phishing attempt. Additionally, artificial intelligence has made these phishing attempts more effective.

In the most recent attack, HHS determined the hackers got into the grantees’ domain email accounts and used spearphishing emails to target specific individuals or organizations. The attacks worked and hackers were able to trick US payment staff into providing access to the grantees’ PMS accounts. Posing as actual users, the government sent the hackers the money believing they were the legitimate grant recipients.

HC3 provides recommendations for health care organizations to protect against cyberattacks.

• First, security begins with ensuring that your mail server is configured to filter unwanted e-mails. These will not prevent all phishing e-mails, but they should reduce some unwanted traffic.
• Second, end users should be periodically trained on themes emerging in phishing e-mails, such as references to an invoice (and related attachment), requests for personal information, offers of coupons and discounts or even government refunds.
• Third, HC3 highly recommends multi-factor authentication.
• Finally, security software should be employed where possible.

If your HTC is concerned about its cyber security, please reach out to the Alliance team for assistance.