WANAN YOSSINGKUM/istock via Gett

CMS, FBI warn healthcare entities about fraud, phishing scam

Criminals are impersonating health insurers and sending fraudulent fax requests for medical records and documentation as part of an ongoing phishing scam, the FBI and CMS warned.

The FBI and CMS each issued alerts to warn healthcare organizations and the public of ongoing fraud schemes and phishing scams. The agencies have observed criminals impersonating legitimate health insurers and their investigative team members to extract sensitive information from patients.

"These criminals are sending emails and text messages to patients and health care providers, disguising them as legitimate communications from trusted health care authorities," the FBI said.

"The messages are designed to pressure victims into disclosing protected health information, medical records, personal financial details, or providing reimbursements for alleged service overpayments or non-covered services."

The FBI encouraged individuals to be suspicious of unsolicited emails, texts and calls and use strong passwords for all accounts. Additionally, the FBI said that patients should always contact their health insurance providers directly to verify the legitimacy of any messages.

CMS stated that it has also observed a fraud scheme targeting Medicare suppliers and providers. The scammers have been sending phishing fax requests for medical records and documentation, claiming to be conducting a Medicare audit.

"CMS doesn't initiate audits by requesting medical records via fax. Protect your information. If you receive a suspicious request, don't respond," CMS stated. "If you think you got a fraudulent or questionable request, work with your Medical Review Contractor to confirm if it's real."

The alerts come on the heels of several cyberattacks against insurers, including a June 2025 cyberattack against Aflac by Scattered Spider cyberthreat actors and another against Erie Insurance.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.

Dig Deeper on Health data threats