On November 18, 2022, the U.S. Department of Justice (DOJ) announced charges against 10 defendants in its first coordinated action against individuals using business email compromise (BEC), money laundering, and wire fraud schemes to target Medicare, Medicaid, private health insurers, and other victims. The DOJ alleged that the defendants posed as business partners by using spoofed email addresses, bank account takeovers, and other fraudulent methods to deceive five state Medicaid programs, two Medicare Administrative Contractors, and two private health insurers into making payments to the defendants and their co-conspirators instead of depositing reimbursement payments into hospital bank accounts. The alleged schemes resulted in more than $4.7 million in losses to Medicare, Medicaid, and private health insurers, and $6.4 million in losses to other federal government agencies and others.

We recommend that health care providers do the following to ensure that they are not the next victims of a BEC scam:

  • Reinforce employee security awareness education and training to help employees recognize suspicious messages and react appropriately.
  • Assess the company’s technical controls to help stop phishing attacks.
  • Review the company’s policies and procedures to prevent wire transfer fraud such as requirements related to verifying the authenticity of a request to transfer money or update bank account information.