Bottom line for executives: Treat every cyber incident as the start of a fraud surge. Fund a 90‑day response that pairs CPG/HICP controls with fast fraud countermeasures: identity‑protection enrollment, claims‑anomaly detection, and scam‑call deflection. Measure it weekly with a watchboard and close device and vendor gaps that extend outage and fraud risk.
Connect breach to fraud: intrusions drive PHI/PII exposure, medical ID theft, false billing, and AI‑voice scams. Plan controls and communications as one program.
Standardize on HHS CPGs + 405(d) HICP with minimums for small orgs and advanced controls for regional systems and payers.
Close device risk: apply the medical device incident playbook and #StopRansomware mitigations; stage isolation and restore paths for imaging/infusion.
Equip beneficiaries: simple steps to stop AI‑voice imposters, verify EOBs, and report suspected Medicare fraud quickly.
Run a Fraud Surge Watchboard: time‑to‑notify, identity‑protection enrollment, claims anomaly spikes, scam‑call deflection, tabletop cadence, device patch SLAs.
Set legal/reporting posture: HIPAA/OCR basics, FBI/CISA engagement, and consumer‑safe communications that do not aid impersonators.
Distribution and Authority-Building Plan
Executive social: Publish this article on Anastasia Rychkova’s LinkedIn with a substantive post that tags HHS, CISA, and FTC, and poses a question on fraud surge measurement.
Content repurposing: Week 1: publish the article. Week 2: share the Kill Chain infographic. Week 3: webinar on 2026 predictions. Week 4: LinkedIn carousel from the Consumer Action Card.
Targeted outreach: Pitch to healthcare cyber reporters and newsletters. Aim for 1 to 2 high-authority backlinks to cement topical authority.
Why fraud surges after a breach
Large healthcare breaches expose identity data and care details that criminals weaponize for medical identity theft, false billing, and social engineering. From 2005 to 2019, U.S. providers reported 2,244 healthcare breaches exposing 180.6 million records, with hacking the primary cause of exposed health records, underscoring how stolen data seeds downstream fraud and abuse hacking as the leading exposure driver.
Operational harm is not theoretical. Cyberattacks have disrupted clinical systems across the sector, with research documenting widespread care interference and risk to patient safety during incidents attacks interfering with hospital networks and care. In 2024, the Change Healthcare attack demonstrated how a single event can disrupt verifications, claims, and reimbursements at national scale, causing economic harm across care delivery blocked insurance and reimbursement workflows.
Regulators recognize the trend. HHS’s Office for Civil Rights (OCR) opened a HIPAA compliance investigation into the Change Healthcare cyberattack and has emphasized the growth of large hacking and ransomware incidents in its breach reporting OCR investigation announcement. OCR’s separate public updates further clarified HIPAA questions for affected entities after the incident HIPAA FAQs on the incident.
From the Strategist’s Desk: Translating Controls into Financial Risk
Frameworks set the floor. The execution gap we see most often is threat translation. CISOs discuss technical risk. Boards allocate capital to mitigate financial risk. A mature plan converts a CPG control like network segmentation into a quantified reduction of revenue-at-risk for radiology, oncology, and scheduling, with time-bound recovery objectives.
In practice: model a ransomware outage on a radiology PACS that drives a daily revenue loss. Show how segmentation, offline backups, and restore drills cut outage duration from days to hours. Tie that delta directly to avoided lost revenue and reduced overtime costs. That is the language that accelerates funding and closes control gaps.
The post-breach fraud kill chain: where leaders can break it
The Change Healthcare attack provides a public, evidence‑based playbook: timelines and scope confirm the incident’s reach and knock‑on effects incident timeline and scale and functions impacted.
Post‑Breach Fraud Kill Chain
- Medical ID theft and false claims
- AI-voice impersonation of hospitals, payers, or “Medicare”
- Account takeover of portals and payer accounts
Intrusion and persistence in enterprise or vendor environment
Data staging and exfiltration (PHI/PII/claims)
Public leak or criminal sale of datasets
Downstream fraud and abuse:
Medical ID theft and false claims
AI‑voice/phone impersonation (hospital, insurer, “Medicare”)
Account takeovers of patient portals and payers
Remediation and recovery
Enterprise controls that matter in 2025
Impact vs Effort: Where to act first
- Network Segmentation
- Backups & Recovery
- Identity & Access (MFA, privileged access)
- Medical Devices (lifecycle hardening)
- Threat Monitoring (24x7 + exfil analytics)
Standardize on HHS CPGs + 405(d) HICP
HHS issued Healthcare and Public Health Cybersecurity Performance Goals (CPGs) to help the sector prioritize high‑impact practices, aligned with existing frameworks and programs HHS CPGs policy notice. The 405(d) Health Industry Cybersecurity Practices (HICP) is HHS’s “how‑to” guide with practical volumes for organizations of all sizes HICP cornerstone and HICP main guide.
Minimal‑viable set (small/rural or resource‑constrained)
Multi‑factor authentication, privileged access control, and unique admin accounts (HICP: Identity & Access; CPGs priority items) identity and access practices.
Daily offline/immutable backups and tested restores; network segmentation for critical apps backup and segmentation practices.
Email/web filtering; endpoint protection with tamper protection; patch critical vulnerabilities quickly threat‑driven controls.
Incident response playbooks and a single hotline to escalate suspected ransomware/phishing IR playbook guidance.
Foundational security awareness training via 405(d) Knowledge‑on‑Demand modules 405(d) program resources.
Advanced set (regional systems and payers)
Zero Trust segmentation (user, device, app), continuous authentication, and adaptive access HICP 2023 updates including Zero Trust.
24x7 monitoring with endpoint detection and response; behavior analytics for exfiltration; deception controls monitoring practices.
Third‑party risk management with data‑flow maps, least‑privilege connectivity, and contractual breach runbooks vendor risk and data flow.
Rapid notification and fraud‑mitigation communications templates aligned to HIPAA requirements and scam‑prevention guidance OCR HIPAA FAQs for incident communications.
Secure imaging/infusion and broader device ecosystems
Clinical devices require lifecycle hardening and incident readiness. Use the medical device cybersecurity incident playbook to define roles (clinical engineering, IT, vendors), network isolation steps, and safe restore paths for imaging and infusion technologies medical device incident playbook. Sector analyses also show device security lags other practices, so closing this gap should be prioritized in 2025 hospital cyber resiliency landscape analysis.
Act on FBI/CISA/HHS #StopRansomware advisories
Patch known exploited vulnerabilities, enforce MFA, and segment RDP/remote admin; monitor C2/exfiltration patterns (Royal) Royal ransomware mitigations.
Disable unused remote services, restrict PSExec/remote tools, and tighten credential hygiene (Rhysida) Rhysida mitigation guidance.
Back up offline, validate restore, and implement least‑privilege service accounts (Phobos) Phobos ransomware mitigations.
Remove non‑essential applications and harden attack surfaces as part of pre‑attack hygiene (Hive) Hive advisory recommendation.
Pair these steps with free federal services (e.g., scanning and assessments) to improve readiness before the next blast radius event federal cybersecurity services available.
Consumer‑grade protections: Plain English
Stop AI‑voice robocalls and impersonation
New federal rules give enforcers stronger tools against government and business impersonation. The FTC’s impersonation rule took effect April 1, 2024, outlawing deceptive use of official emblems and spoofed .gov identities and enabling monetary relief impersonation rule in effect and what the rule forbids. The agency also proposed extending protections to cover impersonation of individuals amid AI‑driven scams proposed protections for AI impersonation of individuals. Research shows people struggle to detect cloned voices, so skepticism is essential-even when a voice sounds familiar difficulty detecting AI voice clones.
Do not trust caller ID; it can be spoofed. Hang up and verify independently via a known, official number or portal caller ID can be faked verify independently. FCC rules likewise prohibit caller ID spoofing and require caller ID authentication and robocall mitigation by carriers. Scammers often use urgency or fear; pausing to verify aligns with FTC guidance on how to avoid a scam.
Where to report Medicare fraud and why EOB review matters
Review your Medicare claims regularly and set up secure online access to spot unfamiliar charges quickly Medicare online account. If you see a charge you don’t recognize, contact the provider, then report suspected fraud report suspected Medicare fraud. Be aware of spoofed calls pretending to be the OIG hotline; the OIG does not place outgoing calls from that number OIG hotline spoofing warning.
Consumer Action Card: Do this today
Do not trust caller ID. Hang up. Call back using the number on your card or statement.
Never share your Medicare Number, Social Security Number, or bank details with unexpected callers.
Check your Medicare Summary Notice or EOBs monthly; question anything you do not recognize.
Report suspected fraud: 1-800-MEDICARE (1-800-633-4227) and 1-800-HHS-TIPS (1-800-447-8477).
Case study: Change Healthcare (2024) and breach‑to‑fraud pathways
On February 21, 2024, Change Healthcare sustained a major cyberattack that disrupted clearinghouse operations nationwide, affecting claims processing and eligibility transactions used by providers and payers confirmed incident date and sequence. Public materials describe the breadth of impacted functions and emphasize the need for sector-wide preparedness scale of disruption. OCR opened a HIPAA compliance investigation into the incident and issued public materials clarifying obligations for affected entities OCR investigation announcement and HIPAA FAQs for the incident.
To stabilize care delivery and cash flow for providers, federal guidance and industry communications urged flexibility on prior authorization and advance funding from payers while systems were restored temporary payer flexibilities and provider stabilization resources.
Mitigation checklist (what to lift‑and‑shift into your plan)
Map critical dependencies on clearinghouses and intermediaries; pre‑stage manual workflows for eligibility, prior authorization, and claims.
Trigger patient‑facing communications that warn about imposter calls and direct beneficiaries to official channels and numbers rules against impersonation.
Stand up a fraud‑and‑abuse surge cell (SIU, compliance, analytics) to watch for claim anomalies related to leaked data.
Coordinate with federal partners for reporting and technical assistance; pre‑load contacts and escalation paths law‑enforcement and CISA contacts.
Apply #StopRansomware mitigations (MFA everywhere, RDP hardening, rapid patching, offline backups, PSExec restrictions) representative mitigation set.
CPG/HICP control heatmap
Use this quick view to set priorities, then drive to closure via an accountable 30/60/90‑day plan.
| Domain | Maturity | Next actions |
|---|---|---|
| Identity & Access | Basic | Enforce MFA for all admins and remote access; remove shared accounts HICP identity controls. |
| Backups & Recovery | Intermediate | Immutable storage, quarterly restore tests, app-level recovery runbooks resilience practices. |
| Network Segmentation | Basic | Segment EHR, imaging, and payment flows; block east-west RDP segmentation guidance. |
| Threat Monitoring | Intermediate | 24x7 alerting, exfiltration analytics, tabletop on data-theft scenarios monitoring and IR. |
| Medical Devices | Basic | Network isolation patterns, vendor patch SLAs, device incident playbooks device incident playbook and adoption gap evidence. |
Fraud Surge Watchboard: Metrics that make leaders accountable
| KPI | Definition | Accountable Owner | Target |
|---|---|---|---|
| Time to notify | Hours from confirmation to first alert sent to patients, providers, and payers | CISO + Communications | ≤ 24 hours |
| % patients enrolled | Eligible beneficiaries offered and enrolled in identity and credit protection | Compliance + Patient Access | > 60% in 30 days |
| Claims anomaly spikes | Alerts per day for out-of-pattern providers, services, or geographies post-breach | SIU + Analytics | Detect in < 24 hours |
| Scam-call deflection | Percent of suspected imposter calls blocked or deflected at contact centers | Contact Center Ops | > 90% |
| Tabletop cadence | Ransomware and data-theft exercises; remediation tasks closed | CISO + COO | Quarterly |
| Device patch SLA | Percent of high-risk devices patched or mitigated within policy; isolation time for exceptions | Clinical Engineering | > 95% on time |
Legal & reporting posture
| Scenario | Who / Purpose | Link |
|---|---|---|
| Cyber intrusion (enterprise) | FBI/CISA coordination and evidence preservation | FBI/CISA reporting and contacts |
| HIPAA breach obligations | OCR FAQs and communications guidance | OCR HIPAA FAQs reference |
| Beneficiary fraud or suspicious claims | OIG centralized fraud reporting | report suspected Medicare fraud |
| EOB/MSN review and account security | Medicare online access to verify charges | Medicare online account |
| Impersonation and caller ID spoofing | Consumer‑safe guidance to verify independently | caller ID can be faked verify independently |
Coordinate incident reporting with federal partners and your regulators. Escalate via established 24/7 FBI and CISA channels for urgent coordination and evidence preservation FBI/CISA reporting and contacts.
OCR maintains HIPAA guidance and FAQs related to large incidents and breach obligations; ensure your legal team tracks updates relevant to breach notification and delegated communications OCR HIPAA FAQs reference.
What not to say (to avoid fueling fraud)
Do not publish unverified call‑back numbers; always point patients to official, previously known channels.
Do not disclose full data elements (e.g., complete SSNs, Medicare Numbers) in notices; minimize details.
Do not speculate on threat‑actor identity, stolen datasets, or timing; communicate facts and next steps.
Do not instruct patients to respond to inbound calls; advise them to initiate contact using known numbers.
30/60/90‑day implementation plan
Day 0-30: Contain and communicate
Enable MFA for all admins and external access; close unused remote services; apply emergency patches immediate mitigations.
Stand up a fraud surge cell (SIU/compliance/analytics) and activate the Consumer Action Card across channels impersonation safeguards to message.
Map clearinghouse and vendor dependencies; pre‑stage manual claims/eligibility workflows disruption lessons learned.
Enroll affected patients in identity protection; publish how to verify and report suspected Medicare fraud EOB/MSN review online and OIG fraud reporting.
Day 31-60: Shore up controls and devices
Implement network segmentation for EHR, imaging, and payment flows; block lateral RDP and restrict PSExec lateral movement mitigations.
Harden medical devices: inventory high‑risk systems, isolate, and align patch SLAs with the device incident playbook device response playbook.
Adopt HICP priority practices and train staff using 405(d) resources; measure adoption against the heatmap HICP resources.
Integrate FBI/CISA/HHS advisories into patch and detection pipelines; validate offline/immutable backup restores backup and recovery guidance.
Day 61-90: Operationalize and audit
Run a full ransomware/data-theft tabletop; close action items; set a quarterly cadence incident response practice.
Embed the Fraud Surge Watchboard in executive reviews; set targets for call-center deflection and claims anomaly detection.
Assess third-party risk for clearinghouses and critical vendors; require minimum controls and breach runbooks vendor risk controls.
Publish and rehearse consumer-safe communications templates that reduce impersonation risk impersonation risk reduction.
90-Day Execution Snapshot
For boards and executives: What “good” looks like
Loss-avoidance calculator (use in quarterly reviews)
- Quantify daily revenue at risk per critical service (e.g., EHR, PACS, scheduling).
- Model outage duration with and without controls (segmentation, offline backups, restore drills).
- Compute avoided loss: (Outage_without - Outage_with) × Daily_revenue_at_risk.
- Add cost offsets: overtime reduction, third‑party workarounds avoided.
- Track quarterly: controls funded vs. avoided loss trend. Use the Fraud Surge Watchboard targets as thresholds.
Controls: CPG/HICP adoption mapped to business services; device isolation plans rehearsed; third‑party runbooks tested.
Signals: Early detection of claims anomalies post‑incident; consumer scam‑call deflection trends moving in the right direction.
Assurance: Immutable backup restore drills; tabletop exercises with regulators’ expectations in view; law‑enforcement liaison ready established reporting channels.
Community: Publish beneficiary‑safe scripts and numbers; train contact centers to avoid reinforcing impersonation tactics impersonation prohibitions.
Future Outlook: 2026 Predictions
AI vs AI in fraud analytics: Payers and large providers will deploy defensive AI to detect abnormal claim patterns and synthetic member-provider relationships generated by adversaries using generative tools. Expect tighter human-in-the-loop SIU workflows and model governance tied to explainability.
Voluntary to mandatory: Expect key HHS CPG controls to shift from best practice to auditable requirement for payers and large health systems via contracts, accreditation, and procurement clauses.
Cyber resilience as a financial metric: Insurers and rating agencies will formalize cyber resilience scores. Board-level resilience metrics will influence insurance premiums and the cost of capital.
Conclusion
The sector cannot treat cyber incidents and fraud as separate problems. A breach sets off a cascade from data theft to AI-assisted impersonation to claim abuse that must be countered with a unified playbook. The foundations are available today: HHS CPGs and HICP for prioritized controls, device incident playbooks for clinical safety, joint FBI/CISA/HHS advisories for concrete mitigations, and consumer protections that help every beneficiary avoid imposters and spot false claims. Organizations that operationalize these pieces and measure what matters will blunt financial loss and patient harm in the next surge HHS CPGs, HICP, #StopRansomware guidance, and FTC impersonation protections.
Frequently Asked Questions
What are the first three things a hospital should do after a ransomware attack?
Contain access, protect backups, and communicate. Enforce MFA for admins and remote access, isolate affected networks, validate offline or immutable backups, then issue beneficiary-safe communications that direct patients to official numbers and portals.
Is a healthcare provider liable if their vendor (like Change Healthcare) gets breached?
Vendors may be business associates under HIPAA, but covered entities retain obligations. Liability depends on contracts and facts. Coordinate legal, compliance, and OCR reporting while engaging law enforcement and CISA through established channels.
How can patients tell the difference between a real call from their hospital and an AI voice scam?
Do not trust caller ID. Hang up and call back using a number from your card or statement. Legitimate organizations will not pressure you to share SSNs or payment details on an unexpected call.