ELEVATE YOUR HIPAA COMPLIANCE: Explore Our Enhanced Toolkit Today
Access Toolkit
Purchase Toolkit
Back to Blog

Colorado Healthcare Facilities Experience Surge in Suspicious Phone Calls

Hospital phone on desk

Surge in Suspicious Calls Targets Colorado Healthcare Entities 

Healthcare organizations in Colorado are experiencing a sudden spike in suspicious, high-volume phone calls. One Colorado healthcare facility reported receiving more than 300 suspicious calls in just two hours.  

The calls—from 205, 833, and 888 area codes—include hang-ups, silence, and general questions about facility operations. These behaviors suggest possible reconnaissance activity or nuisance disruptions intended to affect operational continuity and frontline staff capacity. 

Suspicious Calls Use Known Tactics 

Although these calls alone don’t confirm a targeted attack, they are similar to reconnaissance behaviors commonly seen before more serious intrusions. The call patterns align with several known tactics used in healthcare security threats: 

  • Vishing (voice phishing): Attempts to obtain sensitive or operational information through deceptive phone conversations. 
  • Call flooding: High call volumes intended to overwhelm staff or disrupt normal operations. 
  • Automated robocalls with spoofed numbers: Signs of coordinated probing or data collection efforts. 

Risks of Suspicious Phone Calls in Healthcare 

Attackers use phone-based social engineering to manipulate staff and gain access to sensitive systems, putting patient data and operations at risk. 

  • Data Breach of PHI: Scammers may pose as vendors or regulators to trick employees into sharing patient health information (PHI). Stolen PHI can be sold, used for identity theft, and result in HIPAA violations or reputational damage. 
  • Network Infiltration: Fraudulent callers sometimes persuade staff to install “support tools” or click malicious links, giving attackers remote access to internal systems and enabling ransomware or data theft. 
  • Credential Theft (Impersonating IT): Attackers often claim to be from the IT department, asking for passwords or MFA codes. With stolen credentials, they can access EHRs, email, and internal networks undetected. 

How Healthcare Teams Should Respond 

  1. Educate and alert staff
    Front-line employees should be trained to recognize and report suspicious calls. Reinforce that no operational, patient, or financial information should ever be shared over the phone with unknown callers. 
  2. Document and report unusual activity
    Track call volume, timing, caller IDs, and any recurring patterns. Share this information with your organization’s IT security or compliance team for further investigation. 
  3. Verify caller identities
    Never rely on caller ID alone. If a caller requests sensitive details, hang up and call back using an official number listed on the organization’s website or directory. 
  4. Follow internal incident response procedures
    Treat unusual call patterns as potential security incidents and escalate them through established channels. 

Other Common Phone Scams in Healthcare 

  • Impersonation scams: Callers posing as DEA agents, government officials, or insurance representatives to demand payment or information. 
  • Fraudulent offers: “Free” medical devices or fake health plan benefits in exchange for personal or financial data. 
  • Caller ID spoofing: Calls that appear to come from trusted sources, including your own organization. 
  • Fake surveys: Attempts to collect sensitive information under the pretense of research or patient feedback. 
  • Callback phishing attacks: This method involves sending phishing emails that entice recipients to call a specific phone number, which appears to be legitimate. Learn more about this type of scam: Callback Phishing Attacks Surge 

Strengthening Healthcare Security 

As social engineering tactics evolve, phone-based scams continue to be a significant and often overlooked security threat in healthcare. By training staff, monitoring suspicious activity, and implementing strong verification processes, organizations can reduce their vulnerability.

Learn How to Recognize Phishing and Vishing Attempts

Your workforce must be well-prepared to recognize and respond to phishing attempts. PrivaPlan can help your organization identify gaps in phishing knowledge with simulated phishing testing and targeted training. 

Learn More!

Related Posts

Recent Posts

Categories
Tags

Access PrivaPlan Toolkit

Click here to access

Access CMA-PrivaPlan Toolkit

Click here to access

Stay Ahead of Privacy & Security Compliance

Sign Up for Our Newsletter!

Don’t miss the latest updates, tips, and best practices in privacy and security compliance! Join our email newsletter for:

  • Exclusive Insights: Gain access to vital news and expert insights from PrivaPlan experts.
  • Practical Tips: Learn actionable strategies to protect data privacy & enforce data security.

Sign up now and elevate your compliance game!

A Compliance First Guide focused on AI & the HIPAA Security Rule

Ensuring HIPAA Compliance in Generative AI Systems

Our new practical guide offers actionable strategies for establishing an AI system while focusing on the HIPAA Security Rule framework. It's built to help you:

  • Advise leadership
  • Evaluate risk
  • Establish AI teams
  • Develop internal policies
  • Configure AI Ambient Scribe settings
Download Your Compliance Guide Today!
  • Be Proactive In Compliance

Learn about Compliance!

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.