In the heart of Boston, Tufts Medical Center treats scores of health conditions, administering measles vaccines for children and pioneering next-generation tools that can eradicate the rarest of cancers.
But doctors, administrators and other hospital staff struggled to contain a much different kind of epidemic one April morning last year: a wave of thousands of robocalls that spread like a virus from one phone line to the next, disrupting communications for hours.
For most Americans, such robocalls represent an unavoidable digital-age nuisance, resulting in seemingly constant interruptions targeting their phones. For hospitals, though, the spam calls amount to a literal life-or-death challenge, one that increasingly is threatening doctors and patients in a setting where every second can count.
At Tufts Medical Center, administrators registered more than 4,500 calls between about 9:30 and 11:30 a.m. on April 30, 2018, said Taylor Lehmann, the center’s chief information security officer. Many of the messages seemed to be the same: Speaking in Mandarin, an unknown voice threatened deportation unless the person who picked up the phone provided their personal information.
Such calls are common, widely documented scams that seek to swindle vulnerable foreigners, who may surrender their private data out of fear their families and homes are at risk. But it proved especially troubling at Tufts, which is situated amid Boston’s Chinatown neighborhood, Lehmann said. Officials there couldn’t block the calls through their telecom carrier, Windstream, which provides phone and Web services to consumers and businesses. “There’s nothing we could do,” Lehmann said Windstream told them.
Administrators at other hospitals, cancer centers and medical research organizations around the country share Tufts’s robocall concerns. They fret that such a seemingly obvious tech malady has worsened in recent months and that government regulators and phone companies have been too slow to help. And they fear that robocallers could eventually outmatch their best efforts to keep hospital phone lines free during emergencies, creating the conditions for a potential health crisis.
"Imagine a scenario when our phone system doesn't keep up," Lehmann said.
This May alone, robocallers rang Americans’ smartphones an estimated 4.7 billion times, according to YouMail, a company that makes an app that helps users block suspected spam calls. That’s nearly double the amount from two years ago, reflecting the extent to which fraudsters have outwitted carriers such as AT&T and Verizon, lawmakers on Capitol Hill and the government’s chief robocall cops, including the Federal Communications Commission.
Top telecom providers say they are working to implement new technologies that would label a call that’s likely to be spam, but widespread implementation is many months away. At the same time, the FCC recently has stepped up efforts to find and fine scammers, while helping consumers access tools that can block suspected spam numbers. But the agency has stopped short of fully rewriting the nation’s anti-robocall rules, something experts say would be necessary to truly stop the scourge.
“These calls to health-care institutions and patients are extremely dangerous to the public health and patient privacy,” said Rep. Frank Pallone Jr. (N.J.), the Democratic chairman of the House Energy and Commerce Committee, who has put forward legislation to try to clamp down on robocalls. “The FCC and Justice Department need to go after these criminals with the seriousness and urgency this issue deserves.”
The absence of immediate relief spells particular trouble for medical professionals. Scammers often adopt a technique known as spoofing to cover their tracks, a practice that results in people receiving calls from numbers that look similar to their own. For a hospital, that often can mean calls appear to come from local area codes, tricking health care workers into thinking it’s a nearby patient in need of care.
"They can't not pick them up," said Steven Cardinal, a top security official at the Medical University of South Carolina. "They don't have any indicator it's a spoof until they answer it."
Patients, meanwhile, must grapple with another headache: With the aid of spoofing, robocallers can seem to take on numbers that are the same as, or similar to, their local health organizations. People are likely to answer those calls out of fear that a loved one is in danger.
For Jennifer Waisath Harris, a political strategist in Austin, there was no hesitation this May when a call from nearby Ascension Seton Medical Center came across her mobile device. Her mom had been hospitalized weeks earlier on Mother’s Day, and Harris knew she had undergone a bevy of follow-up tests.
“And when I got that call,” she said in a recent interview, it wasn’t a doctor or nurse on the other line. It was some recorded voice, saying, “You qualify for insurance,” she said. “Seeing the hospital’s name come across caller ID, it caused my heart to palpitate a bit.” Adding to her alarm, Harris said she used a call-blocking tool offered by AT&T, her carrier. It didn’t flag anything as awry.
The same issue has plagued patients at Noyes Health, part of a network of hospitals affiliated with the University of Rochester. John Dorak, the director of IT infrastructure, said he has heard regularly from residents in this rural community who swear they’ve been contacted by a number that appears to be the hospital — but in reality, it’s a scammer that “takes advantage of our good name."
"We've had people calling around the community, using our name and number to tell people they owe money,” he said. “That's not what we do."
Robocalls targeting hospitals and other health-care organizations hardly represent a novel threat. When Congress adopted the government’s anti-robocall rules in 1991, lawmakers specifically cited consumers’ complaints that automated spam calls were tying up critical emergency lines. More than two decades later, the FCC cited that very authority in issuing a $120 million fine against Adrian Abramovich, a Florida man who placed nearly 100 million robocalls in a telemarketing scheme that also interfered with hospital pagers.
In the telecom industry, phone carriers now say they’re investing more heavily in efforts to trace the origins of deceptive robocalling campaigns, including those that target health-care organizations. From there, they can increasingly help federal law enforcement officials in their investigations, said Patrick Halley, the senior vice president of advocacy and regulatory affairs at USTelecom, an industry lobbying group.
But many health and security experts say they are still fearful of mass disruption at a time when robocalls remain on the rise.
The continued threat to doctors and patients prompted Dave Summitt, chief information security officer for the H. Lee Moffitt Cancer Center and Research Institute, to take his concerns directly to Congress in March. Democrats and Republicans alike on Capitol Hill long have been united in seeking legislation to crack down on robocalls, but they’ve yet to pass a single law in response.
Testifying in front of the House Energy Committee, Summitt stressed that robocalls represent a "serious threat” to his Tampa-based facility, which serves more than 60,000 patients each year. Over a 90-day period, he said, robocallers rang more than 6,600 times using numbers that mimicked Moffitt’s, which he estimated had consumed 65 hours of hospital response time. That came in addition to about 300 robocalls that appeared to be coming from numbers affiliated with the U.S. Department of Justice, he told Congress. Summitt said those callers sought to swindle physicians into surrendering critical information that might make it easier for scammers to obtain prescription drugs fraudulently.
In an interview, Summitt said the cancer center tried to obtain help from its telecom carrier, CenturyLink. But CenturyLink officials said the problem wasn’t severe enough over a 72-hour period to warrant their help, according to Summitt. In other cases, Summitt said he sought to enlist CenturyLink’s aid in finding out who was masquerading as Moffitt, which CenturyLink said it couldn’t do without a warrant.
In response, Linda Johnson, a spokeswoman for CenturyLink, said it is “not our policy and must have been a miscommunication” that someone there informed Moffitt that it couldn’t block certain numbers unless it had received more calls.
“Our fraud management team worked closely with Moffitt to identify illegal robocalls, trace them back to their source and ultimately block them. We will continue to do our part to fight unlawful calls,” she added.
As thousands of robocalls bombarded Tufts Medical Center last year, it had its own share of problems with Windstream, its telecom carrier. But Thomas Whitehead, the vice president of federal government affairs at the company, attributed Tufts’s robocall troubles to its reliance on older phone technology. “We do have a call-blocking solution we offer. We just couldn’t offer it on their system," he said in a recent interview.
A year later, Whitehead said they are still “following up” with Tufts Medical Center.
In the meantime, hospital leaders have labored to train staff and warn them of potential fraud. Recently, their workers — much like those at Moffitt in Florida — have been targeted by scammers seeking to steal information, perhaps in an attempt to obtain drugs illegally, said Lehmann, the Tufts security officer.
“These disruptions,” he said, “add up to being a big deal.”