News
Article
Author(s):
Some patients are forced to deal with “infuriating” attempts at exploitation while navigating their disease.
Since receiving a diagnosis of breast cancer in 2021, Lashelle Scott, who lives in the Houston area, has faced hurdles such as the need to find and enroll in an insurance plan before beginning treatment and the process of navigating cancer care during the COVID-19 pandemic.
Scott’s treatment journey to date for stage 3 HER2-positive, BRCA2-positive breast cancer has included a partial mastectomy and targeted therapy, and the morning she spoke with CURE® she was trying to figure out how to cover her out-of-pocket costs for chemotherapy due to an insurance snafu that month.
But Scott has had to deal with another level of aggravation, as the political consultant and patient advocate says she has been bombarded with text messages, sometimes five or six a day, and emails offering her participation in clinical trials that don’t exist, inviting her to enroll in fraudulent insurance plans and promising a cure for her cancer.
“It’s infuriating because I’m a realist, so I know there’s not a cure,” Scott says. “Cancer just really goes in remission. So targeting me with a text message saying, ‘There’s a clinical trial for you for a cure’ — last year, I had all these text messages from this company that was sending me this information that I knew was false, and I’m like, ‘First of all, how did you get my information?’ I just thought it was weird.”
Patients with cancer, such as Scott, are particularly vulnerable to potential fraud and exploitation, experts tell CURE®.
“[A patient who receives] a cancer diagnosis clearly is in a state of vulnerability medically, [and] could be financially as well,” says S. Duke Han, professor of psychology and family medicine at Keck School of Medicine of the University of Southern California in Los Angeles. “And that creates, as we know, lots of ripple effects. Whenever a person is in a state of dependency, it makes the situation more prone to financial abuse.”
Examples of exploited patients can be found in local news across the country, from a Texas woman who was accused in 2009 of stealing tens of thousands of dollars from a neighbor who was receiving chemotherapy and radiation treatment to a New Jersey man with cancer who, according to a 2019 report, lost $18,000 in a phone scam to a man masquerading as his local sheriff.
Along with personal acts of attempted exploitation and fraud, attacks are increasingly occurring at an institutional level.
Patients of the Fred Hutchinson Cancer Center in Seattle reported receiving threatening emails from hackers following a 2023 cyberattack that resulted in leaked personal information of approximately 1 million patients, according to The Seattle Times. That same year, the personal information of millions of patients of Nashville-based HCA Healthcare was stolen and put up for sale, according to CNBC. The University of California San Diego’s health system was the target of multiple class-action lawsuits in 2021 following a data breach, according to a report from Law360. The University of Texas MD Anderson Cancer Center in Houston was the subject of a trio of data breaches across 2012 and 2013, in which unencrypted hardware containing the data of nearly 35,000 patients was stolen or lost.
Annual ransomware attacks more than doubled between 2016 and 2021, according to a study of 374 such attacks published in JAMA Health Forum that found that those attacks exposed the personal health information of nearly 42 million patients. Ransomware, as defined by the Cybersecurity and Infrastructure Security Agency, is “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.”
“Cybercriminals are attacking hospitals with no concern for the condition of the individuals whose information they’re extracting,” says David Jaffray, who joined The University of Texas MD Anderson Cancer Center in 2019 as the institution’s first chief technology and digital officer. “They have their own agenda and one objective, which is to gain some wealth through the theft of information or through putting organizations through the stress of a ransomware situation where they lose functionality. There’s no mercy out there in this regard.”
Phishing, per the Federal Trade Commission, is an online scam using communication appearing to be from a well-known source in order to trick the attempted victim into providing personal information.
“Occasionally, we get feedback from our patients: ‘Somebody phoned me asking suspicious questions and it appeared to be an MD Anderson [phone] number. How did that happen?’” Jaffray says. “Unfortunately, it’s relatively straightforward to spoof the caller ID, and somehow these criminals have learned this individual is a patient at MD Anderson.
“It could be from a conversation they had or through a post they made on social media. This is a kind of example that we’re seeing in the ecosystem where bad actors are assembling bits and pieces to convince these individuals to share even more.”
It’s hard to know exactly how scammers intend to use the information they extract from patients, Jaffray says.
“We can’t get fully into the mind of the cybercriminal, but once they start to build more and more detail about you through the collection of additional information, they can go anywhere with it,” he says. “And there’s actually an entire market out there of this kind of information being used for a variety of different scams.
“And so, the building up of that picture, with as many credentials as possible, becomes a marketable asset for these cybercriminals to use for a variety of different purposes. They could use it to open up a bank account and submit a false tax return so that your refund goes to the wrong person, for example. They don’t necessarily use the information that is collected in the nature of the scam, so someone proposing a clinical trial opportunity may just use that information to get your insurance information that they can use for a totally different exploit.”
It’s been more than 20 years since Eric Drew, then 36 and hospitalized for acute lymphoblastic leukemia, learned he was the victim of identity theft.
“When this was all happening to me, it was hard to isolate the identity theft from the medical battle as it was all one struggle,” said Drew, of Los Gatos, California. “So not only was I a victim of identity theft but my identity as a person was shattered as well — people don’t realize that with a cancer diagnosis, your entire identity as a person goes out the window. I mean, my identity before diagnosis was Eric Drew, 6 [foot] 3 [inches] and 220 pounds, high school football quarterback, part-time model, successful business development executive, etc., etc., and now my identity is a patient number, actually they refer to me as a hospital room number. … Everything that was part of who I was is gone already, and to attack someone in such a vulnerable point in their lives is just absolutely horrific.”
“It’s no secret that going through cancer is costly — it’s costly emotionally, but it’s costly financially as well,” says Han. “And so, particularly as people are navigating treatments, those often come with costs, and if someone becomes a victim of scam or fraud in the midst of going through treatment, your financial well-being can be threatened, and it can be really devastating.”
Drew began receiving credit card application notifications during his second bone marrow transplant, followed by thousands of dollars in bills. He eventually learned that his information had been stolen by a technician working at the Seattle Cancer Care Alliance, where Drew had previously received a bone marrow transplant.
The technician, Richard W. Gibson, claimed to have gotten his information from a paper in a restroom wastebasket, according to Drew. In 2004, Gibson was sentenced to 16 months in prison and ordered to pay at least $15,000 in restitution as the first person in America to be sentenced under the Health Insurance Portability and Accountability Act, which had taken effect the previous year, as reported by The Associated Press.
“This court considers your behavior in this case to be some of the most deplorable I’ve seen in 15 years on the bench,” The Associated Press reported U.S. District Judge Ricardo Martinez as telling Gibson.
Han, whose collaborators include the National Center on Elder Abuse at the USC Center for Elder Justice, says the center and the team from his Han Research Lab in USC’s department of psychology have observed the increasingly sophisticated techniques deployed by scammers.
“When email first came out, scammers latched on email scams. And when cellphones became more prevalent, cellphone scams became more prevalent. I think the more AI [artificial intelligence] and other sorts of machine learning and technological advances happen, there’s going to be a corresponding increase in their use for scam and fraud,” Han says.
Drew, in remission since 2004 and the founder of the WeHeal Foundation patient advocacy and education organization as well as the identity theft prevention and restoration company Knightsbridge Castle, knows how much more sophisticated tactics have become since his ordeal.
“Access to consumer marketing data is just at unreal levels. … [Scammers] might not be able to get access to the medical record, but they can figure out who [patients] are seeing, where they’re going,” Drew says. “There’s so much information out there that wouldn’t be hard to put together. And then to offer them a phishing scam saying, ‘You know, we got this clinical trial that can save your life,’ I mean, that’s just horrible.”
“If you’ve been given a terminal cancer diagnosis, and you’ve been told by a physician and an oncologist that although it’s potentially treatable, it’s not curable, those are devastating words to hear,” says Dr. Skyler B. Johnson, physician-scientist at Huntsman Cancer Institute at the University of Utah and assistant professor in the department of radiation oncology at the university.
“If you are sent a clinical trial that is offering a promise of a potential cure or you hear about an alternative medicine clinic overseas that has cured patients like you and in your situation, that allows you to take some of that fear, some of that anxiety, that uncertainty that you have about the future and develop some hope and find some certainty,” Johnson said. “And so I think there are some psychosocial and emotional characteristics that make cancer patients particularly vulnerable to these issues.”
Cancer’s complexity is also a contributing factor, as Johnson explains. “People think of cancer as one disease, but we know that it’s thousands of different diseases with thousands of different treatments,” he says. “And so because it’s so complex, it’s hard for people to understand. … When they don’t understand their diagnosis, they don’t understand the treatments, and that can lead to a lack of confidence, and that’s another major issue.
“So I think cancer is a particular area where misinformation, disinformation, unscrupulous actors can really thrive because they can prey on people’s fears and anxieties and uncertainties and lack of confidence in the treatment options that they have. And they can take advantage of that.”
Scott, who serves as a patient advocate via organizations including Living Beyond Breast Cancer, the Tigerlily Foundation and Susan G. Komen, says such scams can give patients “a false hope.”
“For anyone ... just [thinking], ‘OK, I’m tired of going to a regular doctor, let me try this,’ it’s very bad. The way the emails are written, like it’s personally to you, is very suspect. … Somebody else [may be] like, ‘Hey, this person really knows me, they know about my case, they could probably really help me.’”
“It’s scary,” Scott says, “that there’s somebody out there actually doing stuff like this.”
For more news on cancer updates, research and education, don’t forget to subscribe to CURE®’s newsletters here.