Hackers Stole Doctors’ Tax Refunds By Breaking In To Payroll Software

Last week, we shared the scary news that a ring of tax refund fraudsters appeared to have filed tax returns on behalf of hundreds of doctors and other health care professionals, harvesting their refunds. Early theories were that hackers had used the recent release of federal data about Medicare providers, or obtained a list of doctors. The truth was even scarier.

Many human resources and all payroll functions are now computerized in any workplace that doesn’t pay in wads of cash, and someone has to provide that software. The amazing security reporter Brian Krebs viewed the program that hackers used to slurp up data and file tax returns, and noticed that the people whose data had been stolen worked for a variety of health care facilities, ranging from nursing homes to hospital networks. What did all of these companies have in common? They used a company called UltiPro for their payroll, human resources functions, or both.

Krebs talked to an UltiPro spokesperson, who turned around and blamed customers. Sort of. One way to prevent unauthorized access to sensitive data is through multi-factor authentication: requiring a second piece of information to log in to a service, like a code from a text message, e-mail, or outside app like Google Authenticator. When asked, UltiPro says that they offer multi-factor authentication, but that they don’t force customers to use it. That makes all of the sensitive data within the system less secure. The company wouldn’t say much about the alleged breaches for obvious reasons, but one client company did tell Krebs that two-factor authentication wasn’t an option until after a data breach earlier this year.

Tax Fraud Gang Targeted Healthcare Firms [Krebs on Security]