A tax fraud gang appears to be targeting a large number of healthcare and senior living organizations that all use the same vendor for payroll and HR services. KrebsOnSecurity previously covered this gang’s criminal activity in April, when they encountered a Web-based control panel the gang used to track tax returns they filed “on behalf” of unknowing victims (Read the details here).
The control panel that was discovered included the personal information of employees whose employers all used the same third-party payroll service provider, Ultimate Software. Utimate Software, in Weston, Florida runs an online HR and payroll solutions provider, Ultipro. The criminals appear to have stolen the credentials of the companies’ human resources managers, who managed employee payroll and benefits.
In what KrebsonSecurity called, “an increasingly common scheme,” hackers are targeting companies’ Human Resources departments to gain access to the personal information of employees needed to file fraudulent tax returns with the IRS.
According to KrebsOnSecurity’s recent post, Plaintree Inc. and Griffin Faculty Practice Plan were two of the organizations targeted by the gang. Both of these companies are subsidiaries of Griffin Health Services Corp., a Connecticut-based company that runs Griffin Hospital, a 160-bed acute care community hospital located in Derby, Conn. In addition to Griffin Hopsital, the gang appears to have targeted several assisted living facilities for seniors, including SL Bella Terra LLC, which operates assisted living facilities in 7 states, and Swan Home Health LLC in Wisconsin, which operates facilities in 20 states.
While, exact number of potential victims is unknown, the activity of the gang appears to be widespread and targeted to healthcare organizations. We previously covered a similar data breach at the University of Pittsburgh Medical Center, the personal and financial information of employees, as well as their W-2 forms, to be accessed without authorization and in some cases, used to fraudulently file tax returns in the employees’ names and open new bank accounts.
Safeguarding patient privacy is obviously (and rightfully) a top concern of healthcare IT departments. Perhaps it is time for these departments to devote equal attention to the human resource infrastructure in order to safeguard payroll, tax and other financial systems as well.
