Callers seek fraudulent access to sensitive practice information

Here’s how not to fall for the scam

Dental practices are reporting to Henry Schein Practice Solutions that they have received calls from an individual posing as a company employee who then asks for remote access to the office servers. The company in late January stated that, according to the practices, the callers provided multiple reasons for their calls, such as communicating problems with computer system backups and viruses and hardware failures, before requesting access to the system.

Such calls are a type of phishing scam, a form of internet fraud whereby scammers pretend to be key personnel or set up look-alike websites and emails to fool individuals into providing sensitive information such as passwords, access codes, patient account numbers or Social Security numbers. With this information, scammers can then steal information and profit from its sale. Dentists and health care providers are increasingly targeted by these scammers who rely on individuals’ lack of awareness and preparation for such schemes.

To help dentists avoid falling for this scam, CDA Regulatory Compliance Analyst Teresa Pichay advises that they “train staff to verify a caller’s credentials and information before providing practice information to the individual.”

Similarly, the Federal Trade Commission in “Protecting Personal Information: A Guide for Business” emphasizes the importance of appropriate and periodic employee training in safeguarding the data of patients, customers and employees. 

“Your data security plan may look great on paper, but it’s only as strong as the employees who implement it,” states the guidance, which goes on to recommend employees be trained to spot vulnerabilities. Specifically addressing fraudulent calls, the guidance recommends that employers or trainers do the following:

Warn employees about phone phishing. Train them to be suspicious of unknown callers claiming to need account numbers to process an order or asking for — contact information. Make it office policy to double-check by contacting the company using a phone number you know is genuine.

The FTC also advises businesses of every type to warn employees about possible calls from identity thieves who impersonate IT staff in an attempt to gain access to passwords or other sensitive information. “Let employees know that calls like this are always fraudulent, and that no one should be asking them to reveal their passwords,” the guidance states.

Henry Schein responded to the reports it received by recommending that its customers follow several FTC-recommended practices, such as verifying the identity of every caller and not providing sensitive information to unexpected and unknown callers. The company further recommended that recipients of suspicious calls “gather information, such as the person’s name, company and/or employee ID#,” take down the phone number and provide it, along with other information gathered, to Schein.

Taiba Solaiman, risk management analyst at The Dentists Insurance Company, also advises dentists that they should be aware of and appreciate the impact staff members have on their overall liability. “It’s essential that dentists be proactive and train staff on what guidelines and protocols they must follow in order to reduce professional liability risks associated with their practice.”

Find the FTC guidance referenced in this article along with additional guidance on data security.

Related Items

The Dentists Insurance Company’s Risk Management Advice Line is a confidential resource designed to help guide dentists to the best course of action when dealing with potential claims from patients or employees. The advice line has helped thousands of dentists and dental professionals navigate difficult situations and establish preventive measures to stop risky situations before they start.

What do Anthem, Yahoo, LinkedIn and JP Morgan Chase have in common? If you guessed that they were all victims of some of the world’s largest data breaches, you’d be correct. From insurance carriers to retailers, financial institutions to the U.S. military, all organizations that have an online presence are subject to cyber-related risks and the reputational damage and loss of consumer trust that follow.