Fax-Based Phishing Attempts on the Rise

Several HealthTeam Advantage provider practices have recently received, and responded to, fraudulent fax requests for patient medical records. These faxes appeared to come from a well-known national pharmacy chain but were later determined to be spoofed. After records were released, the information was misused to order and bill for unauthorized orthotic or durable medical equipment (DME) items. 

This is a reminder to your Medical Records / Health Information Management (HIM) teams to carefully verify all requests for Protected Health Information (PHI) before releasing records. 

Red Flags to Watch For

• Faxes labeled “Urgent,” “Immediate Action Required,” “CMS Audit,” or other pressure-based language. 
• Faxed requests that contain grammatical errors, incomplete sentences, or unusual phrasing. 
• Requests that do not match your normal workflow, are from unrecognized senders, or do not include a clear purpose of use. 
• Missing or suspicious contact information, such as toll-free numbers with no direct extension. 

What You Can Do

Verify the request.

• Use a known, independently sourced phone number for the requesting entity. 
• Do NOT use the phone number provided in a suspicious fax. 
• Ensure the request meets HIPAA’s verification and minimum necessary standards. 

Educate your team.

• Share the attached “Urgent Fax Request” example with Medical Records / HIM staff. 
• Reinforce how to identify potential phishing attempts — whether by fax, email, or phone. 

Report promptly.

• Instruct staff to report suspected phishing attempts to your internal Privacy or Security Office immediately. 
• If PHI is disclosed, follow your incident response and breach notification procedures, including notification to required agencies as applicable. 

If you have any questions or would like help validating a medical records request, please call your Provider Concierge at 844-806-8217, option 5.