Remote health care has offered more access and convenience to patients and doctors, but it has also opened more opportunities for fraud. Telehealth scams exploit virtual visits and online communications. Their impact is twofold — they can drain organizational resources and expose systems to cybersecurity risks. As a health care IT specialist, it is important to understand how fraud arises in telehealth and what systems are strong enough to keep virtual care safe.
What Are Telehealth Scams?
Telemedicine scams misuse virtual health care platforms to defraud patients, providers and government programs. These schemes often appear legitimate, only to exploit sensitive data or commit fraud for money.
The financial consequences can be significant. Within the last few years, the Justice Department has focused more on these digital health platforms, as they have become more embedded in everyday care delivery. In 2024, its National Health Care Fraud Enforcement Action pursued felony charges against 193 defendants across the United States.
Thirty-six of those were directly tied to telemedicine-related fraud schemes, which involved over $1.1 billion in fraudulent claims submitted to Medicare. The federal government has begun to crack down on virtual health care because the distance and deployment of technology are exacerbating the potential for fraud.
Common Types of Telehealth Scams
Online health care scams involve various tactics, including:
- Fake telehealth providers: Scammers pose as licensed doctors or health services, setting up fake websites that trick patients into providing payment or insurance details.
- Phantom billing: Fraudsters use stolen credentials or manipulate electronic health record (EHR) systems to bill Medicare or insurers for services never provided.
- Kickback schemes: Fraudulent telehealth operations often pay providers or marketers to refer large volumes of unnecessary services or prescriptions, violating anti-kickback statutes.
- Phishing and impersonation: Cybercriminals send emails or texts mimicking telehealth platforms, luring users to click malicious links or submit personal data under false pretences.
While fraudsters will use various deceptive tactics, they all have one goal in mind. Their objective is to steal a Social Security number, financial credentials, or insurance information and use it for fraudulent billing or identity theft. Telehealth services are expanding each day, so criminals are constantly coming up with new ways to target doctors and patients to evade authorities and health care companies.
Warning Signs to Be Aware Of
Telehealth scams often leave traces within digital systems that IT professionals can look for to prevent large-scale fraud and data breaches.
Abnormal Billing or Usage Patterns
Watch for sudden increases in telehealth billing codes or claims for services outside the organization’s typical offerings. Repeated billing from the same IP address or provider account may also indicate automation or fraudulent activity behind the scenes.
Suspicious Authentication Activity
Unauthorized login attempts can point to compromised credentials. Repeated failed logins or unusually long user sessions may signal bot-based attacks or unauthorized remote access.
Third-Party Platform Vulnerabilities
Be cautious when onboarding new telehealth tools or integrations. Vendors that cannot provide clear compliance documentation or attempt to bypass vetting processes should raise concerns. Unsupported APIs or unpatched tools can also be weak entry points for scammers.
Inconsistent Patient or Provider Data
Scammers often create slightly altered records to evade detection. For instance, discrepancies may occur in patient-reported visits. If the number of visits exceeds the records in an EHR system, this is a sign worth investigating.
This also goes for provider data. Scammers may try to procure fake identities using generating tools to pose as a doctor to steal or fabricate information.
Steps Health Care IT Teams Can Take
IT leaders can take action against the growing threat of telehealth scams by implementing several digital defences.
Implement Multi-Factor Authentication (MFA) and Access Controls
Enforce MFA across all telehealth platforms and patient portals. Limit access based on roles to ensure only authorized personnel can schedule virtual appointments or bill services.
Conduct Regular Security Audits and Log Monitoring
Schedule routine audits of login records, provider activity and claims data. Establish automated alerts to flag anomalies, such as login attempts from unfamiliar devices or sudden changes in billing behaviour. Early detection is critical for halting fraud before it spreads.
Vet Third-Party Vendors
Before onboarding any telehealth vendor, verify their HIPAA compliance, review their security documentation and conduct vulnerability assessments. Avoid integrations with platforms that lack transparent data handling practices or cannot support routine audits.
Communicate Risks and Best Practices to Patients
Work with clinical and communications teams to educate patients about safe telehealth practices. Create easy-to-understand guides that explain how to verify provider legitimacy and report concerns. Consider hosting security tips directly within patient portals.
Train Staff to Spot Red Flags
Educate clinical and administrative teams on recognizing phishing attempts and unexpected requests for sensitive data. For instance, scammers have previously sold fake at-home COVID-19 test kits in exchange for Medicare or personal information, then fraudulently billed Medicare. Teaching teams to verify sources before disclosing or entering data can prevent similar schemes.
Work With Legal and Compliance Teams
IT, legal and compliance teams should collaborate to maintain policies for responding to suspected breaches. They should also revisit telehealth workflows to ensure all virtual care tools align with regulatory standards and fraud prevention protocols.
Strengthening the Front Lines of Virtual Care
Telehealth has become an important service for patients with access to fewer health care resources. However, it offers various entry points for scammers to commit fraud. With this in mind, health care IT teams must stay alert and watch for the latest tactics in virtual health care scams. When implementing a mix of strategies, they can uphold the integrity of online medical care and maintain proactive defences.
By Zac Amos, ReHack
