I have some routine medical testing coming up, and I just got a text message. Completely unknown number. It says it’s from my hospital, and links me to a website I’ve never heard of - https://z2-ima.phreesia.net/. That website of course claims to be affiliated with my hospital, and won’t I please type in all of my personal information and upload copies of my identification cards so they can “update their records”?
Now…I made the phone call, verified everything, etc.
But the hospital didn’t clue me in about this message beforehand. They just tell their third-party provider to send me the link, and expect me to click through and hand over my info.
I’m wondering if it’s occurred to them that habituating people to clicking on unknown links and handing over their personal information is a really good way to prime somebody for identity theft?
This is certainly bad user experience, probably the hospital doesn’t have a proper data protection process stablished with the 3rd party provider so they want to request your personal data. Was the data request from phreesia.net a mandatory step to proceed?
If your healthcare provider or insurance company provides a satisfaction survey, I would be sure to point this.
Once I verified a few pieces of my information, it became obvious that had they the information from the hospital.
But I think my point still stands. I’m actually approaching this and thinking about what info I’m handing over, but I would like to think that I’m above-average as far as being aware of scam attempts.
I see lots of companies doing this, not just healthcare. The stakes are relatively low when it’s some company I’ve never heard of claiming to be doing a survey for Office Depot about a recent order. But it all goes to the idea of being conditioned to just trust that third parties represent whoever they’re claiming to represent.
ESPECIALLY since Ascension (my healthcare provider) had that huge data breach, scams like this could actually be perpetuated with pre-populated, valid information.
My credit union is like this. If you take out an auto loan, you get a suspicious-looking text message and friendly link to something along the lines of uploadmyinfo.com. This is a legitimate request for your auto insurance scan, etc. but it doesn’t feel like it.
Also, their fraud alert voicemails come from an 800 number. The simultaneous text messages come from a shortcode and reference a four character for the institution many wouldn’t recognize.
I’ve tried to get them to add a page to their site so they’d come up in a search for these numbers and URLs with no luck.
Sure! Just think an elderly person going through these types of interactions. My 83 years old father is not able to tell a scam from a “legitimate” data request.
A doctor (specialist) I see once a year “bills” me by sending a text message that is very phish-y looking with a link to click in order to pay. I have told them I refuse to pay this way, but their system is to send a text twice (I think it’s two weeks between), then if there’s no response, send a paper bill. Fortunately, they don’t consider it “late” when I pay that way.
I have told them many times that, since I am among the youngest patients they see (early 50’s), they are setting up their older patients to think it’s OK to make payments to random links sent via vague texts.
They claim it’s very efficient for them. OK. I’ve done my best. I still tell them, every time, that they are encouraging very risky behavior by their patients.
I’m thinking that we, the people aware of the risks from these types of interactions, have the responsibility to raise these concerns to the businesses that behave this way.
I’ve encountered similar problems and try to determine if the message, site, etc. is legitimate. I usually can, but when in doubt I do nothing until I can talk to my doctor, banker, etc.
I realize not everyone can do this. But I’m old and can be stubborn on occasion.
According to the Washington Post:
"Here’s what’s going on: A company called Phreesia [https://www.phreesia.com/] makes software used by more than 2,000 clinics and hospitals across the United States to streamline check-ins, replacing the clipboard and photocopied forms with screens on a website or app. The company says it was used for more than 100 million check-ins in the past year. Some patients use Phreesia’s software to do early digital check-in at home, while others use it on a tablet at the clinic.
But Phreesia doesn’t just make money by selling its software to doctor’s offices. It also has a business in selling ads to pharmaceutical companies that it displays after you fill in your forms. And it wants to use all that information you entered — what drugs you take, what illnesses you’ve had in the past — to tailor those ads to your specific medical needs"
One thing that helps me deal with text messages is having Messages label them:
When I get a questionable text and verify it is legitimate, I add the short code to my Doctor’s, Bank’s, etc. card in Contacts. The fact that they are shorter than a phone number isn’t a problem.
Once you enter it (Or them. I have some contacts that send from 4 or more numbers) your text message will display the name of your contact.
Two different medical providers here, one for my wife and one for me, passed us touchpads to sign documents for which we were not shown or given copies of the documents we were signing. Sloppy and “iffy”. I asked how would I know that I weren’t signing away our first-born son? And they just laugh!
The makers of hand sanitizer must love touchpads in doctor offices. I was thrilled the first time I used one, and saw my doctor’s receptionist clean it when I handed it back to her.
I don’t want to say they can’t be, but you don’t find it happening. Spoofing happens in the voice world. Sim-stealing and porting attacks let legitimate numbers be used for SMS but short codes aren’t managed that way. Short codes can be shared or dedicated so some risk there depending on the service.
I venture a malicious human-crafted message from within the institution owning a short code would be the biggest risk.
Indeed. One thing we do at the school I work for is have departments engaging third party vendors who will be communicating with faculty, staff, or students utilize DNS subdomains of our .edu domain for those services. In the handful of cases where that’s not an option we insist that our community members be informed (by the relevant department or school) of the vendor’s domain names and/or email addresses used in those communications.
We also have mandatory infosec training for faculty & staff and offer training to students on a voluntary basis. These have proven to be quite effective in our experience.
Wow!!! I am not sure is this would be downright illegal in Europe, but it would certainly be GDPR hell for any company attempting to build a business around this.
I think I would never click on an unknown link. I just delete and mark as spam.
In the UK the NHS system seems to text me from the same number. So I get Flu jab reminders, arranging an appointment link, appointment reminders etc from hospital care and primary care, I even can text my Doctor all from the same number. Therefore I am fairly confident about that link. There is an NHS app so you can check on the app if you are uncertain, all the messages are visible there.
