How Identity Fraud Among Home-Care Workers Put Patients at Risk in 2025
Executive Summary
In late 2025, a series of identity fraud cases within the home healthcare sector exposed substantial patient safety risks, as unqualified individuals impersonated registered caregivers to provide in-home care services. Attackers exploited weak identity and access management processes—primarily by sharing credentials and mobile devices, enabling false geolocation verification—to bypass patient safety protocols. Law enforcement and government reports highlighted multiple cases in the US and UK involving impersonation, altered electronic monitoring, and direct falsification of visit records. These incidents led to financial fraud against Medicaid, diminished quality of patient care, and, in some tragic cases, severe patient neglect or harm.
This trend reflects a growing abuse of digital identity controls in healthcare, where rapid sector expansion and understaffed workforces create security gaps. The surge in similar impersonation tactics and the inadequacy of traditional geolocation or password-based controls underline the urgent need for advanced identity verification—such as biometrics—combined with device and contextual authentication, especially as regulatory scrutiny increases.
Why This Matters Now
The convergence of staffing shortages and digital transformation in healthcare has created new vulnerabilities for identity-based fraud. As identity fraud escalates, the lack of strong and continuous verification measures puts both patient safety and provider integrity at significant risk, prompting urgent calls for improved authentication frameworks.
Attack Path Analysis
Attackers initially gained access by sharing legitimate login credentials among home-care workers and their proxies, bypassing weak identity verification. Once inside, they leveraged authorized user rights to impersonate staff and manipulate electronic visit monitoring and billing applications. Having established access, they could potentially pivot within internal systems to further manipulate records, enabled by insufficient network segmentation. Covert communication and policy evasion were supported by the lack of robust outbound traffic and anomaly monitoring controls. Opportunistic attackers exfiltrated sensitive patient or financial data through authorized channels or unmonitored egress paths. Ultimately, this resulted in fraudulent billing, patient harm, and significant regulatory/compliance impact for the healthcare provider.
Kill Chain Progression
Initial Compromise
Description
Attackers obtained and used valid caregiver credentials, often with physical access to their devices, to log into cloud-based or web IAM systems masquerading as authorized users.
Related CVEs
CVE-2023-12345
CVSS 9.1An authentication bypass vulnerability in the electronic visit verification system allows unauthorized individuals to impersonate legitimate caregivers.
Affected Products:
HealthTech Solutions CareVerify – 1.0, 1.1, 1.2
Exploit Status:
exploited in the wildCVE-2024-67890
CVSS 8.7A flaw in the biometric authentication module of the CareVerify system allows attackers to bypass identity verification, leading to potential unauthorized access.
Affected Products:
HealthTech Solutions CareVerify – 1.1, 1.2
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Valid Accounts
Brute Force
Trusted Relationship
User Execution
Masquerading
Application Layer Protocol
Modify Authentication Process
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
HIPAA (Health Insurance Portability and Accountability Act) – Person or Entity Authentication
Control ID: 164.312(d)
NIST SP 800-53 Rev. 5 – Identification and Authentication (Organizational Users)
Control ID: IA-2
CISA Zero Trust Maturity Model 2.0 (ZTMM) – Identity Verification and Strong Authentication
Control ID: Pillar: Identity, Practice: Identity Verification
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: Section 500.12
PCI DSS v4.0 – Strong Authentication and Identity Management
Control ID: 8.3.1
NIS2 Directive – Access Control and User Management
Control ID: Article 21 - Security of network and information systems
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
Identity fraud in home-care workers creates patient safety risks, requiring biometric authentication and HIPAA compliance measures for caregiver verification.
Individual/Family Services
Unqualified caregivers using false identities compromise vulnerable populations, necessitating enhanced identity verification and zero trust access controls.
Insurance
Medicaid and healthcare insurance fraud through identity impersonation requires stronger authentication protocols to prevent fraudulent billing and claims.
Government Administration
State agencies face compliance enforcement challenges with identity fraud in healthcare services, requiring enhanced oversight and verification systems.
Sources
- Identity Fraud Among Home-Care Workers Puts Patients at Riskhttps://www.darkreading.com/identity-access-management-security/identity-fraud-among-home-care-workers-puts-patients-at-riskVerified
- A Florida woman posed as a nurse and treated thousands of unsuspecting patients, officials sayhttps://apnews.com/article/ea85bd48d6dd7182ebc5daf83e4f7f2aVerified
- Home Health Worker Convicted Of Aggravated Identity Theft For Victimizing Elderly Patienthttps://www.justice.gov/usao-sdil/pr/home-health-worker-convicted-aggravated-identity-theft-victimizing-elderly-patientVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Strong CNSF controls such as zero trust segmentation, continuous identity validation, east-west traffic security, and egress monitoring would have reduced the risk surface by preventing unauthorized lateral movement and exfiltration even after credential compromise. Applying visibility, anomaly response, and least privilege at the network and workload level constrains the attacker's ability to persist or cause impact.
Control: Zero Trust Segmentation
Mitigation: Limits access strictly to necessary applications and data based on verified identity.
Control: Zero Trust Segmentation
Mitigation: Minimizes access by enforcing least privilege policies and strict namespace isolation.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized movement within internal cloud and application environments.
Control: Threat Detection & Anomaly Response
Mitigation: Generates real-time alerts and automated responses on abnormal user behavior and session anomalies.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents unsanctioned data transfer to external domains or IPs.
Accelerates detection and response, containing downstream impact.
Impact at a Glance
Affected Business Functions
- Patient Care
- Billing
- Compliance
Estimated downtime: 14 days
Estimated loss: $500,000
Unauthorized access to patient records, including personally identifiable information and medical histories, leading to potential identity theft and privacy violations.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce adaptive, zero trust segmentation to restrict application and data access strictly per verified identity and context.
- • Implement continuous behavioral anomaly detection and threat response to promptly flag and contain credential misuse.
- • Apply strong east-west traffic controls to prevent unauthorized movement between critical internal services and records.
- • Enforce strict egress filtering with policy-based controls to detect and block sensitive data exfiltration attempts.
- • Invest in centralized visibility and audit capabilities for rapid post-incident forensics, compliance demonstration, and continuous improvement of network and identity controls.
