Call Us Today! 877-659-2467 contactus@arismedicalsolutions.com

Phishing Prevention for Healthcare

Posted bySuze Shaffer
Phishing scam

Healthcare is one of the most targeted industries for phishing because attackers know the environment is fast-paced, staff are busy, and ePHI is extremely valuable. All it takes is one click on a malicious email to shut down your systems, expose patient data, and put your practice in OCR’s crosshairs.

Phishing is behind most ransomware incidents reported to OCR, and many recent enforcement actions stemmed from preventable, basic phishing mistakes. With proper training, employees can stop the majority of Security Rule violations before they happen.

Below is the top phishing tactics used against medical and dental practices, followed by practical prevention steps aligned with HIPAA Compliance and Security Rule requirements.

1. Email Spoofing & Look-Alike Domains

What it looks like

  • Fake emails appear to come from a doctor, CEO, billing manager, or IT vendor.
  • Domains slightly change (e.g., mayoclinic.com vs mayoclinic.net).
  • “Urgent request” messages: invoice approvals, password resets, or wire transfer requests.

Why it works

Healthcare staff often trust internal names and don’t closely examine sender details.

How to prevent it

  • Enable DMARC, DKIM, and SPF on your email domain.
  • Require multi-factor authentication (MFA) for all email access.
  • Train staff to hover over the sender address before opening attachments.
  • Implement Role-Based Access Controls so fewer people can approve financial or patient-record changes.

2. Malicious Attachments (PDF, Fax, Lab Result, eRx Notice)

What it looks like

  • “Incoming fax” from eFax, RingCentral, or RightFax
  • “New lab results attached”
  • “Updated referral forms – review immediately”

Attachments often contain ransomware droppers or credential-stealing malware.

Why it works

Clinicians and staff open attachments quickly due to workflow pressure.

How to prevent it

  • Deploy email sandboxing (advanced email scanning).
  • Block macros and executable files.
  • Require staff to verify unexpected clinical attachments by calling the sender directly.
  • Maintain current endpoint detection & response (EDR) software.

3. Credential Harvesting / Fake Login Pages

What it looks like

  • Fake Microsoft 365, Google Workspace, EHR, or billing portal login prompts.
  • Emails claim “Your mailbox is full—log in to restore access,” or “Your password needs to be reset.”

Why it works

Providers often keep multiple portals open and may not notice small differences.

How to prevent it

  • Enforce MFA, which stops most credential-theft logins.
  • Train employees not to click on the links within the email.
  • Train employees to check the URL before entering credentials.
  • Use password managers that auto-fill only on real sites.

4. Vendor Impersonation (EHR, Imaging, Billing, Clearinghouses)

What it looks like

  • Fake messages from Athena, eClinicalWorks, Change Healthcare, Kareo, etc.
  • “Urgent update required to prevent claim rejections.”
  • “Your portal access will be disabled unless you verify your account.”

Why it works

Healthcare providers rely heavily on third-party systems and trust vendor branding.

How to prevent it

  • Verify updates by logging in directly and never through email links.
  • Maintain a Vendor Verification Checklist under your HIPAA Security Rule documentation.
  • Require IT department to approve all vendor-related system changes.

5. Business Email Compromise (BEC)

What it looks like

  • A hacked internal account sends messages to other employees.
  • Requests for W-2s, bank changes, ACH updates, or large transfers.
  • Email rules silently forwarding messages to attackers.

Why it works

It comes from a real account and staff trust it.

How to prevent it

  • Require MFA on all accounts.
  • Set alerts for email forwarding rule creation.
  • Use conditional access and login-location alerts.
  • Review account audit logs regularly.

6. “Patient Refund” or “Billing Issue” Scams

What it looks like

  • Fake patient messages: “I was overcharged, please open the attached statement.”
  • Calls followed by phishing emails requesting account verification.

Why it works

Front-desk and billing teams want to resolve patient issues quickly.

How to prevent it

  • Never open unknown attachments claiming to be patient documentation.
  • Require all inbound patient documents to be sent via HIPAA-secure channels only.
  • Train non-clinical staff (front desk, billing, schedulers) since they are the most targeted.

7. Ransomware Delivery via Phishing

What it looks like

  • Fake faxes, statements, or shipping notifications.
  • Attachments disguised as scanned documents.

Why it works

One click can deploy ransomware that halts clinical operations.

How to prevent it

  • Maintain image-based backups (not just data backups).
  • Test your Contingency Disaster Recovery & Emergency Mode Operations Plan quarterly.
  • Ensure all devices are patched and running updated security tools.

8. Social Engineering Phone + Email Combination (“Hybrid Attacks”)

What it looks like

  • A phone call claiming to be from IT followed by an email link.
  • Attackers pretending to be from a lab, insurer, or specialist office.

Why it works

Healthcare workflow relies on phone + fax + email and attackers exploit the mix.

How to prevent it

  • Create a verification protocol for anyone asking for access or information.
  • Maintain a list of trusted numbers for labs, hospitals, and vendors.
  • Train staff never to act on unsolicited “IT support” messages.

Protect Your Organization Before It’s Too Late

HIPAA compliance isn’t a one-time project — it’s an ongoing process. At Aris Medical Solutions, our HIPAA Keeper system simplifies compliance with a cloud-based platform that walks you through each requirement, step by step. From risk analysis to training and documentation, you’ll have everything you need to stay protected, compliant, and audit ready.

Protect your practice — and your patients.


Schedule a free HIPAA checkup today at Aris Medical Solutions. Your HIPAA Compliance Officer will have a HIPAA security analyst to guide and assist them every step of the way.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Share This HIPAA Blog
Data Breach types

Class Action Lawsuits VS Federal HIPAA Laws

November 1, 2025
©2025 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC