Understand how we got here — and how to move forward.


May 6, 2019

Scammers targeted Moffitt Cancer Center with 6,600+ robocalls—in just 90 days

Daily Briefing

    Speaking on behalf of several leading health care organizations, the Chief Information Security Officer at the H. Lee Moffitt Cancer Center and Research Institute, last week testified before a congressional committee in a plea to take action to stop spam callers that target hospitals and threaten patient safety nationwide. 

    Check out our new cybersecurity cheat sheet series

    Moffitt, a standalone cancer center based in Tampa, treats more than 60,000 patients each year.

    Congress considers how to crackdown on robocalls

    The testimony was part of a House Energy and Commerce Committee hearing on several pieces of legislation that aim to crack down on scam callers. The legislation under consideration would make it easier for the federal government to punish scammers with heavy fines and push telecommunications carriers to improve caller ID in order to better detect fraud and spam calls.

    A lobbying organization that represents telecommunications companies including AT&T and Verizon said the industry has been working to implement new technology to alert customers to scam calls. "There is no single solution to ending the scourge of robocalls, but progress is being made every day," said Patrick Halley, an SVP at USTelecom.

    Major cancer center fights deluge of scam calls

    However, during his testimony, Moffitt CIO Dave Summitt said those industry changes had not come fast enough. He noted that Moffitt's patients and employees have recently been the target of thousands of robocalls seeking to obtain patient personal information. 

    He outlined three situations that he said "represent the greatest concern for our organization." Those situations include:

    • Calls that appear to originate within the organization but originate elsewhere;
    • Calls from scammers who use numbers that appear to be Moffitt numbers and impersonate Moffitt personnel to obtain insurance or payment information; and
    • "Spear phishing" attacks, where a caller seeks out a specific individual, seeking to obtain private information.

    To illustrate the scope of the problem, Summitt shared call data from recent months. He noted that within a recent 90-day period, Moffitt received over 6,600 external calls that were falsely identified as coming from within the organization. "Our employees see our own number on their caller ID [they] give no thought to answering, only to be speaking with someone with malicious intent," Summit said.

    Summitt also noted the center received more than 400 phone calls over a 30-day period from numbers associated with the District of Columbia.  About half of these calls were from numbers that were supposedly connected to federal agencies. "Some were legitimate, but most were not," Summitt said.

    The ones that were not legitimate were usually "targeting specific individuals to obtain confidential information, a form of spear phishing," Summit explained. "When our employees answered the phone, they were subjected to an urgent request by the caller who self-identified as a [Department of Justice] employee."

    Summitt asked Congress to consider three changes to improve anti-robocall legislation, including:

    • Requiring accurate caller identification;
    • Putting some of the burden and responsibility of cracking down on robocalls back on telecommunications carriers; and
    • Requiring telecommunications carriers work with businesses to investigate and stop malicious activity.

    Moffitt isn't alone

    Moffitt is far from the only health care organization targeted by robocalls. Summitt's testimony was signed by health care organizations across nine states and the Washington, D.C. area, including Yale New Haven Health System and Memorial Sloan Kettering Cancer Center.

    When the robocalls reach health systems and hospitals, they can be "disruptive and potentially dangerous," especially for patients who assume they are speaking to someone trustworthy from the medical center. "In our experience, this activity constitutes a serious threat to patient care, in addition to disrupting business operations and facilitating financial fraud," Summitt said (Romm, Washington Post, 4/30; Summit testimony, 4/30).

    Next, check out our new cybersecurity cheat sheet series

    Want to learn more about what you should be doing in your role? Check out our new cybersecurity cheat sheet series which outline what executives in every role should be doing—and the key questions they should be asking—to help their organizations stay secure.

    Access the Cheat Sheets

    Have a Question?


    Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.