Keep Donation Scams Out of Healthcare

After a natural disaster or tragic event, when people are reeling from the devastating impact of events, and members of the public are eager to do whatever they can to assist by making a donation. All too often when tragedy strikes, the public needs to be alert for scams that prey on their sympathies in order to steal information and funds intended for relief funds.

Scammers fraudulently collect sensitive information and steal donations by creating and using fake social media platforms (e.g., Facebook, charity websites, phishing, email, and Twitter) to ask for donations.

These fake websites will usually do one of two things:

  1. Ask for a credit card number to steal donations; and/or
  2. Infect your electronic device with malicious software (malware) that can extract sensitive information passwords, usernames, or account numbers) that is subsequently used to commit fraud.
Always be aware when responding to any unsolicited incoming e-mails or text messages, by clicking links or downloading files contained within those messages, because those links or files may contain viruses or other malware (including ransomware) that could steal your personal information and/or harm your computer or other electronic device.

To combat the threat from this type of scam, HIPAA Covered Entities (CEs) and Business Associates (BAs) should consider training staff on the following practices:

  1. Never allow remote access to your computer unless such access is known to be legitimate, and the requestor’s authenticity can be verified (e.g., calling your IT Help Desk to verify the identity of IT support personnel requesting remote access to perform maintenance) – AND is done over a secure connection.
  2. Do not trust unsolicited phone calls, emails, or texts – be suspicious & ask questions.
  3. Hang up the phone if you are suspicious of the caller, do not trust Caller ID to be accurate, scammers almost always spoof an innocent 3rd party’s phone number.
  4. Be suspicious of requests for personal information over telephone, email, or text.
  5. Do NOT download & install unknown software or purchase unsolicited online services.
  6. Do not connect unknown devices or USB drives.
  7. Verify the identity of the caller directly with CE or BA officials, or with the company the caller claims to represent.
  8. Record the caller’s information if you suspect a scam and report it in accordance with your organization’s policies and procedures.

Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.

Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to such risks?



Don’t know where or how to start or update your HIPAA security compliance training? Let’s chat about your compliance program – schedule a call with HIPAA alli today!