Published April 23, 2014
Tax fraud is a growing problem, with the IRS estimating that it’s become a $4 billion-plus industry, and a new report suggests a large number of physicians are finding themselves victims.
KrebsOnSecurity, a cybersecurity blog run by Brian Krebs that first broke Target’s massive data breach last year, reports there has been a spike in tax fraud occurrences against medical professionals this year, prompting speculation that there has been an unannounced data breach at a national organization that either certifies or provides credentials for physicians.
Krebs reports that the New Hampshire Medical Society has heard from 111 doctors, physician assistants and nurse practitioners claiming to be tax fraud victims. Similarly, the North Carolina Medical Society has reported fraud incidents among 100 individual doctors and medical practice managers, and the Maine Medical Association has reported more than 30 instances of tax fraud with its members, the report states.
Krebs says a larger scale breach is purely speculation at this point, but says anecdotal evidence hints there are more instances of tax fraud in the medical community this season than in the past.
“In these cases, [fraudsters] were basically hitting the doctors and administrators, so the back-office folks didn’t see the fraud,” he says. “This suggests that these attackers got information that is specific to these doctors.”
Doctors are a more lucrative target for tax fraud, Krebs says, because they likely get higher tax returns due to their income levels. “There’s potentially more money. Also, if they have access to physicians’ previous taxes, it’s easier to get that return approved.”
Doctor’s offices, once infiltrated, have a wealth of customer data as well, he adds. “All of these are sole practices, so they may have two or three doctors, but they have a ton of information about customers. They have dependent information as well, so they have a whole package that is needed to convincingly file tax returns.”
Adam Levin, president and co-founder of Identity Theft 911, says tax fraud is low risk and can bring a major return.
It’s common for criminals to file fraudulent tax returns early in the tax-filing season since whoever files first gets the refund. It’s not until the second (and often real) tax return is filed that the IRS flags duplicate returns.
“It’s simple, because tax fraud is an easy crime to commit for big money,” he says. “You can do it from your living room, in your bathrobe and socks, hit send and hope you get there first.”
Levin agrees a large-scale breach is a logical assumption due to the widespread trend.
“This also coincides with Heartbleed,” Levin says, referring to the OpenSourceSSL bug that was discovered by Google (GOOG) researchers earlier this month. The vulnerability allows hackers to request information including usernames and passwords to gain access to other personal identifiers. “Using that Heartbleed vulnerability, they may have been able to more easily access a database.”
Another potential source of exposure could be the recent release of government records showing Medicare payments to 880,000 medical providers across the country, the experts say. The Centers for Medicare and Medicaid Services listed the National Providers Identification (NPI) number on each doctor.
“Just because that information has been available for years through various sources doesn’t mean the bad guys paid attention to it,” Levin says. “Now it’s all available in one spot.”