The healthcare industry is a major target for cybercriminals engaging in Business Email Compromise (BEC) scams — a threat that costs healthcare organizations nearly $25 billion in global losses annually. Unlike traditional cyberattacks that rely on malware or hacking tools, BEC scams manipulate human trust—tricking employees into wiring funds, exposing sensitive patient data, or granting unauthorized access to critical systems.
Hospitals, clinics, and healthcare organizations handle massive amounts of financial transactions and confidential information, making them prime targets for BEC attacks. In fact, healthcare ranks among the top five industries most impacted by BEC, reflecting how relentless and costly these scams have become.
In this article, we’ll go over five real-world BEC scams that have targeted the healthcare sector to better understand the devastating consequences and the urgent need for stronger cybersecurity measures.
An unnamed hospital in Sydney reportedly lost $2 million in a BEC scam in September 2024. Police raided the home of a 49-year-old man in Western Sydney in connection with the fraud, who was then arrested for recklessly dealing with proceeds of crime.
In this context, the Australian Competition and Consumer Commission (ACCC) has warned that these scams have been increasingly costly for Australian businesses, with scammers becoming more sophisticated in their tactics.
A Florida man, Erick Jason Victoria-Brito, and a group of fraudsters were indicted for running a $60 million international financial scheme targeting small businesses, nonprofits, and local governments over five years. Victoria-Brito was extradited from the Dominican Republic and now faces federal bank fraud and money laundering charges in New York.
Prosecutors say the group created thousands of fake businesses and bank accounts for BEC scams, tricking organizations into wiring funds. They attempted to steal over $150 million, funneling money to banks in China to evade recovery.
The U.S. Department of Justice has charged 10 individuals across multiple states in the first coordinated crackdown on BEC and money laundering schemes targeting public and private health insurers. The scams, which resulted in over $11.1 million in losses, fraudulently diverted payments intended for hospitals, Medicare, Medicaid, and private insurers by using spoofed emails and bank account takeovers.
The individuals allegedly used fraudulent methods to deceive victims into believing they were making legitimate payments and then laundered the stolen funds through shell companies, overseas transfers, and luxury purchases.
On September 13, 2024, Bellarine Medical Group experienced an email security breach in which an unauthorized user accessed an employee’s mailbox and used it to send spam emails. Upon discovery, the group quickly secured its systems with forced multifactor authentication and password resets.
The breach did not affect patient records and there is no evidence that any sensitive personal or health information was accessed, aside from email addresses in the auto-saved cache. However, this serves as a clear example of the threat of BEC attacks.
In October 2020, the University of Vermont (UVM) Health Network suffered a ransomware attack that disrupted operations across its six hospitals, delaying patient care and leading to significant recovery costs. The breach originated from an employee unknowingly opening a phishing email while on vacation, which allowed cybercriminals to deploy malware.
When the attack was launched on October 28, UVM Health Network shut down its systems to prevent further damage. Although no sensitive data was stolen, the organization had to rebuild its infrastructure over several months, causing major disruptions for employees and patients.
Healthcare organizations can protect themselves from BEC scams by implementing strong cybersecurity practices:
With these measures, healthcare organizations can reduce the risk of costly cyberattacks and protect both their finances and patient data.
The healthcare industry is a prime target for BEC scams, and cybercriminals are constantly refining their tactics to exploit human trust and security gaps. As these real-world cases show, the consequences of such attacks can be devastating: financial losses, operational disruptions, and risks to patient care.
To combat these threats, healthcare organizations must remain vigilant and implement robust security measures, including employee training, email authentication protocols, strict financial verification processes, and rapid incident response strategies. By prioritizing cybersecurity, healthcare providers can better protect their systems, safeguard sensitive data, and prevent falling victim to costly cyber fraud.
Nonprofits are prime BEC targets—see real attacks and what finance leaders must do to protect funds, data, and mission-critical operations.
Manufacturers are top targets for BEC scams. See 6 real cases that expose how attackers steal millions—and what finance teams must do to stay protected.
Construction BEC scams are surging—see 6 real cases exposing how attackers target payments and what CFOs, finance teams must do to stop million-dollar losses.
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
