Hospital’s fate warns of tax season scams

Tax season scams are underway.  On January 25, it was discovered that the tax information of 1,457 hospital employees had fallen into a scammer’s hands in one of the latest W-2 business email compromise attacks. The Gillette, WY-based healthcare system reported that an employee had responded to an email request for the W-2 form data of hospital employees.

According to a statement by Campbell County Health (CCH) CEO Andy Fitzgerald, “Currently, it appears that an unauthorized individual, impersonating a CCH executive, contacted an employee requesting W-2 information for all of our employees who had taxable earnings in calendar year 2016. Unfortunately, before it was determined that the request was fraudulent, the employee provided these files. No protected health information for our employees or our patients was released in this incident.”

The information delivered did include social security numbers for CCH employees, who have all been notified and are being offered identity protection services. “We take this matter and the security of personal information very seriously at CCH, and we will continue to review and enhance our security practices to further secure our systems,” said Andy Fitzgerald.

Tax season is a popular time for business email compromise attacks and other tax-related scams. Last year, the Internal Revenue Service issued an alert for e-mail schemes after seeing an approximate 400 percent surge in phishing and malware incidents in the first quarter of 2016 alone. Based on the Wyoming hospital’s unfortunate experience, it appears scammers are not going to take this tax season off. 

To help minimize the threat that this type of targeted email phishing presents, PrivaPlan’s President David Ginsberg recommends the following activities:

1) Remind your financial team and key managers to be on the lookout for suspicious emails.

2) Train staff on how to spot a phishing email, such as hovering over a link until the URL appears.

To find out how the HIPAA experts at PrivaPlan can assist you with phishing testing, and the many other services we provide, contact us at or call 877-218-7707.

PrivaPlan Associates, Inc. is the authority in HIPAA Privacy and Security Rule Compliance. Offering in a wide array of products and services including guidance on: HIPAA Privacy and HIPAA Security, HIPAA Training, Meaningful Use Consultation, Security Risk Assessments and much more.

Related Posts

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.