Through a series of phishing schemes, hackers defrauded the Department of Health and Human Services out of $7.5 million in civilian grant payments throughout most of 2023, forcing the intended beneficiaries to wait longer to collect their awards while investigators work to identify the culprits.

Between late March and mid-November of last year, the hackers targeted and manipulated the Payment Management System used by HHS to withdraw millions of dollars in funds meant for five grantees, including money earmarked for rural communities and underserved patients, said people familiar with the matter to Bloomberg News. The sources requested anonymity as the information is not public.

In at least one attack, the perpetrators infiltrated the domain email accounts of five grantees and used spearphishing emails to target and trick specific individuals into providing them access to the actual grantees’ accounts, according to the news outlet, Information Security Media Group. Once they had access, the hackers deceived the payment system into believing they were the beneficiaries, ensuring that it transferred the funds to them.

"This matter has been referred to the OIG. As federal stewards of the taxpayer dollar, we take this issue with the utmost importance,” an HHS spokesperson told Information Security Media Group.

According to Bloomberg’s sources, the incidents were not initially reported as cybersecurity breaches, creating a false impression to the government of just how high a risk they posed, a fact that reportedly has frustrated President Joe Biden.

Along with other government sectors, the Executive Office of the President and the U.S. Agency for International Development use the same payment system, raising concerns about their security, especially since the risk of attacks by sophisticated threat actors has gone up amidst the current geopolitical turmoil.

Back in October, HHS’ Health Sector Cybersecurity Coordination Center issued a warning that AI-enabled phishing schemes are on the rise in the health sector, especially by those seeking financial awards by capitalizing on sensitive patient data.

Earlier this month, the American Hospital Association disclosed that IT help desks in hospitals were being contacted by foreign-based threat actors using stolen personally identifiable information of employees to answer security questions and tactics to bypass multi-factor authentication protocols to gain access to employee email accounts and other applications.

“This scheme once again demonstrates how our cyber adversaries are quickly evolving their tactics to defeat technological cyber defenses through social engineering schemes,” said John Riggi, AHA’s national advisor for cybersecurity and risk, in a statement.

Due to the theft at the HHS, intended grantees are currently unable to collect their awards. While most details about the grants and recipients are still under wraps, about $1.5 million was to go to the Health Resources & Services Administration, which provides care to underserved communities, including patients in rural areas, those in need of transplants, pregnant, and with HIV.

Authorities, including HHS’ Office of Inspector General, have not yet identified the perpetrators. The FBI and Department of Homeland Security have also been notified.

Health IT Homepage