When the “Medicare audit request” arrived by fax at medical practices across the country last month, everything looked official – government letterhead, case numbers, urgent deadlines. Office managers were already preparing the requested patient files when some noticed something odd about the callback numbers.
The documents were fake, according to a warning issued by the American Hospital Association. Criminals are exploiting healthcare’s continued reliance on fax machines by impersonating Medicare officials and requesting sensitive medical records through fraudulent transmissions.
The Centers for Medicare & Medicaid Services (CMS) alerted healthcare providers about this sophisticated scheme where scammers send official-looking fax requests claiming to be part of Medicare audits. These fake audits request medical records and documentation that could be used for identity theft, insurance fraud, or further targeted attacks.
How Fax Machines Became a Healthcare Security Vulnerability
Healthcare organizations remain heavily dependent on fax technology for transmitting patient information, making them natural targets for this type of fraud. When a medical practice receives what appears to be an official government audit request via fax, the instinct is often to comply quickly to avoid regulatory penalties.
The scheme works because fax transmissions carry an air of official authority. Unlike emails that might trigger spam filters or phone calls that staff might question, fax requests often bypass normal security scrutiny. Healthcare workers are accustomed to receiving legitimate regulatory requests via fax, creating the perfect cover for criminals.
“These schemes may involve a combination of phone, text and synthetic audio and video,” noted John Riggi, highlighting how sophisticated these attacks have become. The fax component serves as the formal document request that gives credibility to the broader social engineering operation.
The Healthcare Fax Dependency Problem
This fraud scheme reveals something striking about healthcare’s technology infrastructure: in 2025, you can order groceries with your voice, but if Medicare wants to audit your medical practice, they might still send a fax. Fax machines aren’t just legacy equipment that organizations haven’t upgraded yet – they’re actually required technology for many healthcare compliance processes.
Medical practices must respond to legitimate Medicare audits, insurance requests, and regulatory inquiries – many of which still arrive via fax. This creates an environment where fraudulent fax requests can blend seamlessly with legitimate business communications.
Government rules make this worse. HIPAA privacy laws, Medicare rules, and insurance companies all expect doctors to use fax machines. When criminals take advantage of this, they’re not just using old technology – they’re using technology that doctors have to use.
The Real Financial Stakes
We don’t know exactly how much money this scheme has stolen yet, but healthcare data breaches usually cost millions of dollars. Medical records are worth a lot to criminals because they contain social security numbers, insurance details, and personal information that can be used to steal identities.
Beyond immediate financial theft, successful medical record harvesting can enable insurance fraud schemes worth hundreds of thousands of dollars per victim. Criminals can use stolen patient information to submit fake insurance claims, obtain prescription drugs, or receive medical services under false identities.
The compliance penalties add another layer of financial risk. Healthcare organizations that inadvertently release patient information to criminals may face HIPAA violations, regulatory fines, and liability lawsuits from affected patients.
Why This Attack Vector Persists
Here’s the problem: healthcare can’t just stop using fax machines to avoid this fraud. Medicare, insurance companies, and government agencies still expect doctors to communicate by fax for many official business.
CMS’s recommended protections acknowledge this reality: verify requests with medical review contractors, implement strict multifactor authentication, and train staff to recognize social engineering attempts. These are defensive measures designed to work within existing fax-dependent workflows rather than replace them.
The warning also reveals how criminals are adapting to healthcare’s actual technology landscape rather than targeting obviously vulnerable systems. They’re not exploiting outdated equipment – they’re exploiting necessary equipment that organizations can’t easily abandon.
The Broader Security Implications
This scheme demonstrates why fax security remains a relevant concern in 2025. As other communication methods become more secure and harder to exploit, criminals gravitate toward channels that still offer opportunities for deception.
Doctors are stuck in a tough spot. They can’t ignore all fax messages because they need them for legitimate business. But they also can’t trust all fax messages because some might be from criminals.
The CMS warning includes practical guidance: use the FBI Internet Crime Complaint Center to report incidents, implement robust authentication procedures, and maintain staff training on social engineering tactics. These recommendations treat fax security as an ongoing operational requirement rather than a temporary legacy concern.
The healthcare industry’s continued fax usage isn’t a sign of technological backwardness – it’s a reflection of regulatory realities and business necessities. Understanding this context helps explain why criminals continue finding success with fax-based fraud schemes and why healthcare organizations need sophisticated defenses for seemingly simple technology.