Small healthcare providers are facing a new kind of fraud that preys on their dedication to regulatory compliance: fake audits. Criminals posing as HIPAA regulators or billing compliance officers are showing up at local clinics—or reaching out via email or phone—with demands for immediate access to records or urgent payments for so-called violations. These scams are sophisticated, convincing, and financially devastating.
How the Scam Works
These fraudsters typically claim to be from a government agency, such as the U.S. Department of Health and Human Services or a state-level health authority. They may provide fake credentials, forged letters, or spoofed phone numbers. Once “onsite” or in contact, they create a sense of urgency by alleging a violation of HIPAA, insurance billing standards, or OSHA protocols.
In many cases, they pressure the staff into sharing patient data for a “records audit,” handing over billing logs or system credentials, and paying bogus “compliance violation fees” or “emergency certifications.”
These scams often succeed because small practices don’t always have in-house legal or compliance officers to verify such claims, and the fear of a regulatory breach is enough to push employees into compliance.
Real-World Examples
In May 2025, the Georgia Board of Dentistry issued an urgent alert warning providers about a surge of scam calls targeting dental clinics across the state. The scammers impersonated board officials and claimed that the clinic or dentist was under investigation for a Medicaid or prescribing violation.
Victims were pressured to provide sensitive information like DEA numbers, Social Security details, and even bank account data. In some cases, the bad actors threatened license suspension or legal consequences if the staff didn’t comply immediately—classic scare tactics. The Board confirmed that legitimate investigations are never handled over the phone and never require payment or personal details to be provided on the spot.
Some other dental practices across the Midwest have reported being approached by individuals claiming to conduct in-person OSHA compliance checks. Wearing safety vests and presenting fake credentials, these imposters demanded access to records and successfully collected private data before disappearing.
Why Small Clinics Are at Risk
Larger hospital systems typically have robust protocols, legal departments, and employee training to prevent such breaches. However, smaller practices—such as family doctors, physical therapy clinics, or behavioral health clinics—may not have the same level of preparation. Criminals know this, and they exploit it by tailoring attacks that look just legitimate enough to bypass skepticism.
Defense Strategies That Work
To safeguard your practice from these scams:
- Verify all contacts claiming to be regulators. Use official websites or directories to call back known numbers—don’t trust what’s on the caller ID.
- Train staff to recognize red flags, such as urgent requests, threats of fines, or demands for immediate payment.
- Establish a single point of contact (like an office manager or compliance lead) for all regulatory matters.
- Post real compliance procedures in staff areas so team members know how real audits work.
LibertyID Business Solutions provides customer WISP protocols, advanced information security employee training, third-party vendor management tools, and post-breach regulatory response and notification services. This allows businesses to improve the safeguards surrounding their consumers’ private data and head toward a compliant posture in relation to the federal FTC and often overlooked state regulations. Along with the components mentioned, LibertyID Business Solutions includes our gold-standard identity fraud restoration management services for employees and their families.