Valencia County (N.M.) leaders are dealing with the fallout from a $2.02 million email phishing scam that impersonated a construction firm contracted to build the new Los Lunas-based Valencia County Hospital.
Plans for the hospital were shared in April 2024. The 15-bed acute care facility will be owned by the county and operated by Community Hospital Corp. and Albuquerque, N.M.-based Lovelace Health System. It is also backed by $50 million in state investment.
A county employee received an email from someone posing as the construction firm that requested a payment, which was an amount known only to the actual parties involved in the project. The employee paid the sum Jan. 2, with the funds withdrawn Jan. 8, according to a March 12 news release from the county.
The fraud was revealed when the county’s grants director said the construction firm was awaiting payment on an outstanding invoice and the county’s finance director revealed the payment had already been transferred to what was revealed as a fraudulent account.
The incident was immediately reported to the county’s bank, the state auditor and other legal entities. The county’s finance director also resigned March 13. Authorities are working to determine whether the transaction was domestic or international fraud, which will help determine whether the funds can be recovered.
“Fortunately, we have a healthy general fund in Valencia County – grown over the course of many decades – that could ultimately be used to cover these funds for the hospital,” the release said.
Despite the breach, the hospital project remains on track, with construction expected to wrap in August and the facility’s doors anticipated to open in October or November 2026.
The release said phishing simulation tests and cyber-awareness training have been regularly deployed to staff for several years.
“We are continuing to review findings from our independent investigation to help us move forward with greater knowledge about risks and mitigation for the future,” the release said. “We are also ramping up internal phishing tests to ensure employees are aware of what potential fraudulent emails look like and can flag appropriately.”
At the Becker's 11th Annual IT + Revenue Cycle Conference: The Future of AI & Digital Health, taking place September 14–17 in Chicago, healthcare executives and digital leaders from across the country will come together to explore how AI, interoperability, cybersecurity, and revenue cycle innovation are transforming care delivery, strengthening financial performance, and driving the next era of digital health. Apply for complimentary registration now.
