Skip to content
Naked Security Naked Security

Hospitals are being suffocated by robocalls

Some pretend to be hospitals to get patients' payment data. Others pose as the government and try to get confidential data from hospitals.

Medical staff are being overwhelmed by a new type of health crisis: “a wave of thousands of robocalls that spread like a virus… from one phone line to the next, disrupting communications for hours,” the Washington Post reports.

This is nothing new. According to the spam-call blocker company YouMail, there were an estimated 4.7 billion robocalls placed in the month of May alone.

But it’s reaching a feverish pitch at the organizations for which it’s far more than an annoyance – rather, as hospital cybersecurity chiefs tell it, it’s a question of life and death. Spearphishers are placing spam calls to patients – using numbers spoofed to look like they’re coming from legitimate healthcare organizations and pretending to be hospital representatives – and trying to get insurance or other payment information out of their targets.

Spam callers are also spoofing hospital phone numbers to place calls to hospitals that look for all the world like the calls were placed internally. Answering those calls takes precious time out of the day that should be dedicated to saving people’s lives and to medical research.

A third type of nuisance call is coming from spearphishers who pose as employees at government agencies and demand to speak to a specific, named physician as they try to finagle confidential information out of the doctors, such as medical license numbers and Drug Enforcement Agency (DEA) numbers – information with which fraudsters can illegally procure drugs to then sell on the black market.

Dave Summitt, the CISO of one such besieged hospital, the H. Lee Moffitt Cancer Center and Research Institute in Tampa, Florida, testified in April 2019 in front of the House of Representatives about how overwhelmed healthcare organizations have become by the scourge.

90 days, 6,600 spoofed calls, 65 wasted hours

Summitt said that over the course of the 90 days that led up to his testimony, over 6,600 calls spoofed to look like internal numbers were answered by staff at Moffitt, which is the third busiest stand-alone cancer hospital in the US.

During a 30-day period, hospital staff answered more than 300 calls that looked like they were coming from the Washington DC area, with half claiming to be from a federal agency. Caller ID identified some of them as coming from the US Department of Justice (DOJ). When Moffitt staff answered, the callers said they were DOJ employees… and then demanded to speak with a specific, named physician about an urgent problem affecting his or her medical license number and DEA number.

Those malicious and/or fraudulent calls tied up hospital staff for 65 hours, Summitt said.

You probably, and I for sure, complain about robocalls and spam calls and how the US government has failed to pass a single law on robocalls. Summitt said that he’s in the same boat: on his personal cell phone, he has 45 blocked numbers entered just in the last 90 days.

Not to minimize the frustration that entails for all of us, but the problem rises to a much higher level than mere annoyance when we’re talking about healthcare organizations, he said.

These attempts occurred over several weeks and involved numerous care providers. These calls can be quite disturbing and disruptive, and we, along with other organizations have to manage them on a daily basis.

The Washington Post mentioned another hospital, Boston’s Tufts Medical Center, where more than 4,500 nuisance calls came in between about 9:30 and 11:30 a.m. on one single day, 30 April 2018, according to CISO Taylor Lehmann.

Many of the messages seemed to be the same: Speaking in Mandarin, an unknown voice threatened deportation unless the person who picked up the phone provided their personal information. Lehmann said that while scams trying to scare foreigners into giving up their private data are a known phenomenon, this attack was particularly disturbing given that it targeted Tufts – a hospital located in Boston’s Chinatown.

Are carriers dropping the ball?

What are carriers doing to help save the hospitals? Not much, if anecdotal evidence is any guide. Lehmann said that Tufts’ telecom carrier, Windstream, told them that “There’s nothing we [can] do.”

For its part, Windstream blames Tufts’ outdated phone technology. The Washington Post quoted Thomas Whitehead, the company’s VP of federal government affairs:

We do have a call-blocking solution we offer. We just couldn’t offer it on their system.

The Post reports that one year later, Windstream said it was still “following up” with Tufts.

Similarly, the Moffitt Cancer Center has experienced what Summitt finds a baffling lack of response from its own telecom carrier, which the Washington Post identified as CenturyLink. During the incident with the spoofed DOJ calls, Summitt said that the carrier told him that the hospital would need to get more robocalls to file a complaint. The targeted organization needs to receive between 20 to 25 calls within a 72-hour window to make that happen, he was told.

When Moffitt tried to find out who was behind the spoofed calls that were using the hospital’s own number, the carrier wouldn’t give out the source of the calls – not without a subpoena, according to Summitt.

CenturyLink said that it’s not so: a spokeswoman told the Washington Post that it’s “not our policy and must have been a miscommunication” that someone told Moffitt that it couldn’t block certain numbers unless it had received more calls:

Our fraud management team worked closely with Moffitt to identify illegal robocalls, trace them back to their source and ultimately block them. We will continue to do our part to fight unlawful calls.

Are the robocallers being protected more than the hospitals?

Something’s wrong when hospitals are beholden to obey laws about protecting patient privacy, while those who make forged calls have their own privacy shielded, Summitt told Congress:

I am rather astonished that others can use our owned phone number range, fraudulently represent our organization, and we have no recourse other than court order. There should be provisions made that when a company is actively investigating a suspected fraud or information security breach, they should have cooperation from the carrier. Our health care regulations require us to protect patient privacy and safety, yet it seems bad actors are more easily protected from privacy than those already covered under regulatory requirements.

How do we get robocalls to die, die, die?!

In May 2019, the US Senate passed an anti-robocalling bill. It’s still waiting for the House to take it up, which the House might not do, given that it’s working on its own version, the Stopping Bad Robocalls Act (HR 946). That House bill was introduced by Rep. Frank Pallone Jr., the chairman of the Energy and Commerce Committee.

Whichever bill – if either – gets passed and signed into law by the president, it will still take months to implement the technology that’s supposed to fix this problem.

What will also take months: fixes from the top telecoms that would label a call if it’s likely to be spam.

Meanwhile, the Federal Communications Commission (FCC) has been stepping up efforts to track down, and fine, scammers.

The FCC is fully aware of how the healthcare industry is being negatively affected by these calls. When it issued a $120 million fine against Adrian Abramovich – a Florida man known as the “robocall kingpin”  – it cited millions of calls Abramovich robo-placed that drowned out operations of an emergency medical paging provider:

By overloading this paging network, Mr. Abramovich could have delayed vital medical care, making the difference between a patient’s life and death.


My beef is with the telecoms companies/carriers. If find it odd that they allow their customers to change their Caller Line Identity (CLI) without a some sort of control/license or something that provides authenticity and traceability.
After all, we drive vehicles on road networks with unique registration plates. ISP’s label our connections with unique DNS entries, which customers cannot change, so something like this should be implemented on telecoms networks. Yes, it will take time and cost, but it seems the responsible action to take – this article gives an example why it’s needed.
If we can implement anti-spam mechanisms for Email that can typically block 95% of spam, then a similar telecoms solution could drop the majority of spam phone calls, leaving less wasted time on remaining calls that interrupt us and require ‘think time’ to decide if they should be answered or not.


The protocol for delivering calls is ITU-T standard Q.931. There’s a bit in the Call Setup packet which states whether the Calling Party ID has been placed in the packet by the carrier or by some other non-trusted party (including the call initiator). Every time I ask the authorities, legislators, or even my own provider why they aren’t screening calls based on this bit, they act like they don’t understand or have never heard of it.

In other words, the information is already in every call, but no one is looking at it.


That’s valuable information Laurence, thanks. I guess that’s not resident in circuit-switched networks. However, it’s all moving to packet-switched. I’ve always suspected that the providers don’t want calls blocked in fear of impacting their revenue…


Right. It’s the control protocol developed for ISDN calling in the 1980s, move to Gen 3 cellphones in the 1990s, and VoIP in the 2000s. It’s also why it was relatively straightforward to add WiFi calling and WiFi-to-OTA-to WiFi handoffs in Gen 4.

I think the real reason for stalling is that broad blocking based on this bit would disable all the techies that are running their own VoIP gateways using Asterisk open-source VoIP gateway software. It would require development of an authentication protocol, something analogous to SPF, DKIM, or DMARC for email.

Maybe updating Q.931 to prevent abuse is needed, similar to the updates that have been made to TELNET, SMTP, RLOGIN, SMTP, HTTP, and many other protocols that were developed before jerks got onto the internet.

Me? I’m paying a few bucks a month for a VoIP provider, but I can understand/sympathize with those that do it from home.



I bet shaken/stir would be a big help here since DOJ and hospital numbers would be harder to properly spoof.


The Answer to robo calls is reverse Carrier Access Billing (CABS). Each carrier passing a call from the direction of the originator to the adjacent carrier in the direction of the destination should be charged a small fee (pennies) for passing the call request. The fees would balance to near zero, except for a carrier originating robocalls, whom would be left holding the bag: A sack full of originating calls for which the carrier would not get a balancing reimbursement. It’s the reverse of classic CABS, for which all carriers are familiar.


Yo telecoms, I disconnected my land line because you can’t do basic security.
How much business can you afford to lose before you pull your head out of,,, the sand.


Got a call yesterday from an Absent Number Robocall. I pay to block absent numbers. My carrier is going to answer this question or lose a longtime customer. VZW watch out. Also on the DoNotCsll list yet i’m told the DNC list sells them their lists


Its crazy but the DNC list does not apply to non profits and political parties… So the DNC list can be bought by the DNC and everyone is SOL. The only way Telecoms will listen, is to hurt them in the wallet.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!