Category Archives: Identity Theft

Program Integrity Federalism

From time to time someone among our newer Chapter members working in the insurance industry reports confronting instances of Medicaid and Medicare fraud for the first time. I thought it might be helpful to present some of the more common health care fraud scenarios that beginning fraud examiners are likely to confront in actual practice in the governmental health care space.

Abuses of the Medicaid and Medicare programs exist in myriad shapes and sizes and continue to evolve constantly. While Medicaid and Medicare fraud, waste and abuse appear to be the most egregious program issues, incidental and accidental waste also threaten program integrity, including outright criminal exploitation of governmental health care payments. Altogether, the overpayment of Medicaid and Medicare dollars represents the largest portion of misused government money, accounting for 59 percent of the $102.2 billion the government improperly distributed among all its agencies in 2017 (ACFE). Issues involving these exorbitantly expensive improper payments can be attributed, in part, to the complexities of the programs themselves and to ever-changing policies among the various states.

It’s important for new anti-fraud practitioners to be aware that while Medicaid and Medicare are considered universal programs, each state is able to operate its own version of the programs autonomously and independent of any collective standard. This autonomy creates wide-ranging policy inconsistencies due to the differences among states, and, in many ways, embodies the ideals of American federalism. How states administer programs like Medicaid and Medicare is largely influenced by the bureaucratic style employed by the state legislature. These variations and inconsistencies can facilitate inaccuracies and misunderstandings in every aspect of both programs, from recipient eligibility, billing protocols, coding standards and licensure requirements. Doctors offering Medicaid or Medicare services are not easily able to transfer their practices from one state to another without first exploring expectations and requirements of the new state. These hard state boundaries create the potential for provider, beneficiary and administrative confusion, which ultimately equates to billions of program dollars misappropriated each year.

Beyond the innocent misappropriation of program dollars are the much more serious problems with the Medicaid and Medicare programs manifesting in the form of illicit and purposeful instances of fraud, waste and abuse perpetrated by recipients and providers. Medicaid and Medicare identity theft (instances of which have been recently investigated by one of our Chapter members) much like general identify theft, has continually resurfaced as a bane since the programs’ inception. It is estimated that three percent of $50 billion of the nation’s annual identity theft losses is associated with some type of medical identity theft. Because of their likelihood of being enrolled in government-facilitated insurance programs like Medicare or Medicaid, individuals aged 50 or older are most likely to fall victim to this type of identity theft. Fraudsters steal these identities to access services, such as prescriptions for drugs with high black-market value i.e. OxyContin, Fentanyl and Morphine, intended for legally enrolled, authorized recipients. Once the prescription is obtained, the thieves sell the drugs for cash or abuse them themselves.

A similar identity theft scheme involves the sale of durable medical equipment prescribed to recipients. By stealing a beneficiary’s Medicaid or Medicare number, the perpetrator can place orders for equipment i.e. slings or braces, all paid for through program dollars, and re-sell the goods online or via newspaper classifieds for cash.

Physicians participating in the Medicaid and Medicare programs also have access to a wide range of possible fraud, waste and abuse schemes. Double billing is a common provider fraud scheme that involves the submission of duplicate claims to Medicaid or Medicare in an attempt to receive double the amount of payment for services that were only provided once. Those physicians wise to the high detectability of billing duplicate claims to either program via simple data analysis will also often send one bill to a private insurance company and a duplicate bill to Medicaid or Medicare so that the duplication does not appear within one data set. Other fraud schemes include up-coding bills to Medicare or Medicaid to represent more complex, lengthy or in-depth procedures when a simpler or lower-level service was actually provided or performed.

Usually, complex procedures are paid at a higher dollar amount than their simpler counterparts, which leads providers to be paid more money than what they actually earned during the office visit or procedure. This fraud scheme takes advantage of small but specific variations in the current procedural terminology (CPT) coding system standardized for both Medicaid and Medicare coverage. Similar to up-coding is the fraudulent unbundling of CPT codes billed as individual entities that per regulation should be grouped together and billed under one umbrella code. Usually, the umbrella code pays a discounted rate for all the services combined. Each individual code gets paid an amount that, when totaled together, equals more than what the umbrella code pays.

Dishonest Medicaid and Medicare providers also bill for services that are not medically necessary. In this scheme, providers perform and bill for services and/or testing beyond what patient need requires. Under this scheme, hospital stays are lengthened, additional diagnostic testing is ordered, entitled hospice enrollment is invoked too early, and equipment and tools are wasted for beneficiaries who really require less care and fewer services. This fraud scheme not only wastes program dollars but also strains other areas of the general healthcare system by inducing and allowing individuals to linger, thus monopolizing unnecessary services and care that could be better applied to other more worthy beneficiaries. But please be aware, while Federal regulation does not contain a definition of medical necessity, states are granted authority to develop and apply medical necessity criteria as they see fit. Providing and billing for services beyond the required needs of the beneficiary may be intentional and/or fraudulent, but because of differing state criteria, instances where unnecessary services are provided and billed may also be simply accidental or well-intentioned.

Anti-fraud professionals of all kinds should also bear in mind that, while Medical identity theft, double billing, up-coding, unbundling and billing for services not medically necessary represent only a portion of the known problems and schemes that weaken the Medicaid and Medicare programs, there are many other types of program fraud, waste and abuse occurring on a daily basis that have yet to be discovered; in this area of practice, expect the unexpected. According to the ACFE, in the past 27 years the Federal government has recovered approximately $24 billion in settlements or judgments against individuals and organizations who committed both accidental and purposeful healthcare fraud, waste and abuse.

On a state level, another $15 billion has been recouped from criminal fines and civil settlements resulting from the prosecution of healthcare fraudsters. While the $39 billion in recovered overpayments from the last 27 years is only enough to cover a small percentage of one year’s total program costs, the amount of overpayment dollars recovered each year by the Federal and state governments is growing exponentially. On average only about $1.4 billion in overpayments was recovered during that time period. However, in 2016 alone, $3.1 billion in healthcare fraud judgments and settlements was recovered by the Federal government. As Medicaid and Medicare fraud, waste and abuse schemes and problems become more prevalent their financial toll increases. Federal and state governments are also detecting and reclaiming money back on a larger scale. This increase can be attributed to developments in policy created to prevent and identify fraud, increased investigative and program integrity funding, and technological improvements in fraud detection programs, databases and software; Certified Fraud Examiners (CFE’s) will increasingly find themselves at the forefront of the effort to strengthen health care program integrity at the Federal level and within each state.

Volunteering for Fraud

identity-theftOur Chapter has a member who has just completed work on an interesting identity theft case.  It seems the victim provided various items of highly specific, identifiable personal information to a local, specialty retailer in exchange for a verbal agreement to provide a discount card and store credit.  Whether the information was subsequently hacked or just carelessly shared, sold or handled by the retailer is still unclear but what is certain is that this identical information was used by fraudsters, with other meta data, to build two different, highly credible, loan applications, one of which was approved by a financial institution.

Our member’s case is an example of the all too real risk posed by voluntarily shared information. In our desire to use services of various kinds – for efficiency, productivity, profit or just for fun – we all seem to find ourselves agreeing to terms and conditions that we may not even see or read or, if we read them, not fully comprehend. A moments reflection would lead any knowledgeable auditor to the conclusion that this amounts to contractual sharing of data even though the “contract” might not even refer to any direct exchange for consideration between the company and the patron, but rather is just for the use of the offeror’s infrastructure; this practice results in trillions of elements of data that the owner of the infrastructure controls, aggregates and uses for its own economic gain.  While simple transactional data associated with the payment process have a definite cycle, voluntarily supplied personal data becomes perpetual. The intentions behind the former are usually tacitly articulated and apply within the realm of the specific payment arrangements between the agreeing parties. In contrast, voluntarily supplied personal data are generally timeless, can be “sliced and diced” using data mining, and can be further masked and shared for the economic gain of the infrastructure owner and of its business partners and, possibly, its customers.

We can think of data volunteerism as the act of volunteering personal information on the part of a user when, in fact, that user might not necessarily want or mean to do so. It’s not so much consent to share personal data, but rather lack of dissent in sharing data. Passivity or inertia on the part of the personal data sharer plays an important role in one’s attraction to data volunteerism. Immediate perceived benefits of seeking the offered services and, thus, benefiting from them, outweigh anything that the user vaguely understands as the costs of doing so under the service provider’s terms and conditions agreed to by the user.

Before clicking the “I agree” button on an agreement of use, how often have we all paused and analyzed the contents of the agreement? Such agreements are generally long, filled with legalese and we feel like we’re wasting time in getting to the services provided by that company or app that just popped the agreement on our screen. According to ACFE, under the prospect theory of decision-making behavior, losses are weighted more heavily than gains. And now here we are, delaying the immediate gratification of using some cool phone service. And so we all fall into the vulnerability of allowing an apparently harmless verbal or written agreement stand in the way of doing something we want to do right now. As with the case of our member’s client, people willingly share personal information when they are nudged by a sales clerk or by a new app on their phone to do so. The perceived immediate benefits seem to outweigh any remotely noticed costs of volunteering the information.

All of this has broad implications for fraud examination and for law enforcement.  Every non-cash payment transaction involves the exchange of personal identifying information on some level.   Bank checks, written contracts, account passwords, phone numbers and a host of other identifying information are both the life blood of the financial system and the continuous targets of every type of thief.  Nothing financial happens until personal data are exchanged and the more aggregated elements of data fraudsters have about anyone at their command the easier their job becomes.

As fraud examiners we should strive to make our clients aware of the general ground rules for the sharing of personal data propagated by the ACFE and others:

  1. The giver must have knowingly consented to the collection, use or disclosure of personal information.
  2. Consent must be obtained in a meaningful way, generally requiring that organizations communicate the purposes for collection, so that the giver will reasonably know and understand how the information will be collected, used or disclosed.
  3. Organizations must create a higher threshold for consent by contemplating different forms of consent depending on the nature of information and its sensitivity.
  4. In a giver-receiver relationship, consent is dynamic and ongoing. It is implied all the time that the giver grants the privilege of use to the information receiver and that the privilege is only good as long as the giver’s consent is not withdrawn.
  5. The receiver has a duty to adequately safeguard the personal data entrusted to it.

A legal definition of consent is hard to find. The common law context suggests that consent is a “freely given agreement.” An agreement, contractual or by choice, implies a particular aim or object. While it is clear that the force of laws and regulations is necessary, in the end, what equally matters is the behavior of the user. Concepts and paradigms such as bounded rationality and prospect theory point to the vulnerability of human users in exercising consent. If that is where the failure occurs, privacy issues will only propagate, not get better. Finally, remember that privacy solutions embedded in the technology to empower users to protect their privacy are only as good as the motivation, knowledge and determination of the user.

As fraud examiners and assurance professionals we have to face the fact that not all our user/clients are equally technology savvy; not all users consider it worth their time to navigate through privacy monitors in a retail store or in an on-line app to feel safe. And generally, all users, indeed all of us, are creatures of bounded rationality.

Costs of cyber crime in 2015 were an estimated US $1.52 billion in the US alone and US $221 billion globally. These criminals find a bonanza if they can successfully perpetrate a data breach in which they break into a system and/or database to steal personally identifiable information (e.g., addresses, social security numbers, financial account numbers), or better yet, data on credit/debit cards.

Data volunteerism nudges people to share more and more personal information. This results in a huge pool of data across companies and institutions. If hard surveillance, such as the use of a camera watching over a parking lot, is concretely vivid, soft surveillance remains buried in the technology, allowing it to work freely on available data and metadata. As this use of data by app providers and others becomes wider and stronger and related frauds proliferate, the public could lose trust in these providers and the loss of trust would translate into loss of sales for the provider. The best way for CFE’s to address these issues for all stakeholders is through client education on the ACFE’s ground rules for self-protection in the sharing of personal information.

Basic Fraud Schemes Targeting Government Health Care Programs

MedicalSome of our newer Chapter members working in the insurance industry report confronting instances of Medicaid and Medicare fraud for the first time.  I thought it might be helpful to present some of the more common health care fraud scenarios that beginning fraud examiners are likely to confront in actual practice in the governmental health care space.  Abuses of the Medicaid and Medicare programs exist in myriad shapes and sizes and continue to evolve constantly. While Medicaid and Medicare fraud, waste and abuse appear to be the most egregious program issues, incidental and accidental waste also threaten program integrity, including outright criminal exploitation of governmental health care payments. Altogether, the overpayment of Medicaid and Medicare dollars represents the largest portion of misused government money, accounting for 59 percent of the $102.2 billion the government improperly distributed among all its agencies in 2014 (ACFE). Issues involving these exorbitantly expensive improper payments can be attributed, in part, to the complexities of the programs themselves and to ever-changing policies among the various states.

It’s important for new anti-fraud practitioners to remember that while Medicaid and Medicare are considered universal programs, each state is able to operate its own version of the programs autonomously and independent of any collective standard. This autonomy creates wide-ranging policy inconsistencies due to the differences among states, and, in many ways, embodies the ideals of American federalism. How states administer programs like Medicaid and Medicare is largely influenced by the bureaucratic style employed by the state legislature. These variations and inconsistencies can facilitate inaccuracies and misunderstandings in every aspect of both programs, from recipient eligibility, billing protocols, coding standards and licensure requirements. Doctors offering Medicaid or Medicare services are not easily able to transfer their practices from one state to another without first exploring expectations and requirements of the new state. These hard state boundaries create the potential for provider, beneficiary and administrative confusion, which ultimately equates to billions of program dollars misappropriated each year.

Beyond the innocent misappropriation of program dollars are the much more serious problems with the Medicaid and Medicare programs manifesting in the form of illicit and purposeful instances of fraud, waste and abuse perpetrated by recipients and providers. Medicaid and Medicare identity theft (instances of which have been recently investigated by one of our Chapter members) much like general identify theft, has continually resurfaced as a bane since both programs’ inception. It is estimated that three percent of $50 billion of the nation’s annual identity theft losses is associated with some type of medical identity theft. Because of their likelihood of being enrolled in government-facilitated insurance programs like Medicare or Medicaid, individuals aged 50 or older are most likely to fall victim to this type of identity theft. Fraudsters steal these identities to access services, such as prescriptions for drugs with high black-market value i.e. OxyContin, Fentanyl and morphine, intended for legally enrolled, authorized recipients. Once the prescription is obtained, the thieves sell the drugs for cash or abuse them themselves.

A similar identity theft scheme involves the sale of durable medical equipment prescribed to recipients. By stealing a beneficiary’s Medicaid or Medicare number, the perpetrator can place orders for equipment i.e. slings or braces, all paid for through program dollars, and re-sell the goods online or via newspaper classifieds for cash.

Physicians participating in the Medicaid and Medicare programs also have access to a wide range of possible fraud, waste and abuse schemes. Double billing is a common provider fraud scheme that involves the submission of duplicate claims to Medicaid or Medicare in an attempt to receive double the amount of payment for services that were only provided once. Those physicians wise to the high detectability of billing duplicate claims to either program via simple data analysis will also often send one bill to a private insurance company and a duplicate bill to Medicaid or Medicare so that the duplication does not appear within one data set.  Other fraud schemes include up-coding bills to Medicare or Medicaid to represent more complex, lengthy or in-depth procedures when a simpler or lower-level service was actually provided or performed.

Usually, complex procedures are paid at a higher dollar amount than their simpler counterparts, which leads providers to be paid more money than what they actually earned during the office visit or procedure. This fraud scheme takes advantage of small but specific variations in the current procedural terminology (CPT) coding system standardized for both Medicaid and Medicare coverage.  Similar to up-coding is the fraudulent unbundling of CPT codes billed as individual entities that per regulation should be grouped together and billed under one umbrella code. Usually, the umbrella code pays a discounted rate for all the services combined. Each individual code gets paid an amount that, when totaled together, equals more than what the umbrella code pays.

Dishonest Medicaid and Medicare providers also bill for services that are not medically necessary. In this scheme, providers perform and bill for services and/or testing beyond what the patient need requires. Under this scheme, hospital stays are lengthened, additional diagnostic testing is ordered, entitled hospice enrollment is invoked too early, and equipment and tools are wasted for beneficiaries who really require less care and fewer services. This fraud scheme not only wastes program dollars but also strains other areas of the general healthcare system by inducing and allowing individuals to linger, thus monopolizing unnecessary services and care that could be better applied to other, more worthy, beneficiaries.  But please be aware … while Federal regulation does not contain a definition of medical necessity, states are granted authority to develop and apply medical necessity criteria as they see fit. Providing and billing for services beyond the required needs of the beneficiary may be intentional and/or fraudulent, but because of differing state criteria, instances where unnecessary services are provided and billed may also be simply accidental or well-intentioned.

Anti-fraud professionals of all kinds should also bear in mind that, while Medical identity theft, double billing, up-coding, unbundling and billing for services not medically necessary represent only a portion of the known problems and schemes that weaken the Medicaid and Medicare programs, there are many other types of program fraud, waste and abuse occurring on a daily basis that have yet to be discovered; in this area of practice, expect the unexpected.

According to the ACFE, in the past 27 years the Federal government has recovered approximately $24 billion in settlements or judgments against individuals and organizations who committed both accidental and purposeful healthcare fraud, waste and abuse. On a state level, another $15 billion has been recouped from criminal fines and civil settlements resulting from the prosecution of healthcare fraudsters.  While the $39 billion in recovered overpayments from the last 27 years is only enough to cover a small percentage of one year’s total program costs, the amount of overpayment dollars recovered each year by the Federal and state governments is growing exponentially.  On average only about $1.4 billion in overpayments was recovered during that time period. However, in 2013 alone, $3.1 billion in healthcare fraud judgments and settlements was recovered by the Federal government. As Medicaid and Medicare fraud, waste and abuse schemes and problems become more prevalent and their financial toll increases. Federal and state governments are also detecting and reclaiming money back on a larger scale. This increase can be attributed to developments in policy created to prevent and identify fraud, increased investigative and program integrity funding, and technological improvements in fraud detection programs, databases and software;  Certified Fraud Examiners (CFE’s) are at the forefront of all these efforts to strengthen health care program integrity at the Federal level and nationwide.

Privacy Impact Analysis

WrenchesI was a participant in a security forum last week in Northern Virginia on the topic of data privacy in general and its implications for fraud examination specifically.   One of my fellow speakers made a very forceful case for the performance of privacy impact analysis by any corporation holding large amounts of customer data.  Her argument was that a privacy impact analysis should be a key component of every corporate security management program.  The objective of this type of assessment is to ensure that the risk of exposing personally identifiable information is contained at every level of  the organization… every business process composing the enterprise needs to be separately assessed for its vulnerability to privacy threats, not just the business functions directly related to information management.

By identifying vulnerabilities throughout the entire book of business processes constituting its enterprise, an organization can significantly reduce the possibility of identity theft occurring at different stages of its business cycle and safeguard the client information entrusted to its care.  My colleague argued that a privacy impact assessment creates a structured process for analyzing non-technical and technical privacy requirements and compliance with relevant regulation, all of which can be dovetailed neatly into the organization’s enterprise risk management (ERM) effort.

For the risks identified by the privacy impact analysis found to be above an acceptable level, our speaker recommended three additional steps. First, conduct the necessary research and fully, not partially, implement appropriate prevention techniques, tools and corporate policy changes.  Second, make sure that there’s a sound, tested recovery plan in place in case of a successful attack involving loss of personal information. Third, develop an effective incident response plan well in advance of an actual attack.  Those of you involved in ERM will be familiar with each of these steps; taken together they demonstrate due diligence and should lessen legal liability somewhat should an unpreventable  breech occur.  This is important because customers and investors alike quickly lose confidence in proportion to any negative corporate news but especially when it’s perceived that the due diligence required to safeguard customer information was absent.  A major event can cause a corporation to lose credibility and business to a competitor  This obviously effects share price which in turn can lead to a sell-off by investors.  Such an occurrence can be devastating to a corporation , possibly to the extent that it cannot recover.

Public policy, embodied in current law, requires that organizations must notify their customers and clients when privacy breeches occur.  These notifications are usually accompanied by a year of free credit bureau oversight or credit watch services so customers can monitor their credit reports for evidence of identity theft; all this remediation is costly and embarrassing and just the sort of situation the privacy impact analysis is designed to prevent.

A final point has to do with employees.  Knowledge is power.  If employees are aware of how identify theft of customer data occurs and succeeds, they can take many steps, as part of their routine daily duties, to prevent it.  So don’t exclude the privacy awareness level of the work force as a critical score element from the privacy impact analysis; if there are identified privacy related weaknesses involving corporate staff, don’t hesitate to address them and quickly.  The ACFE has emphasized in study after study that work force fraud awareness training is one of the most effective fraud deterrence tools there is.

Professional Social Networks and the Scammers

SouthPacificWe all use social networks for a wide variety of personal and professional reasons.  Linking together like minded practitioners can be the life blood of any  professional organization (like our Richmond, Virginia NACFE Chapter)  and has been proven to contribute to elevated levels of public service and customer satisfaction.

Social networks like Facebook and LinkedIn are based on the concept of online identities  that interact together to form a virtual social network.  The identities are created as user profiles that reveal the kind of information the individual user wants to display on the network.  I use my LinkedIn page to share posts on this blog with my professional contacts.

It’s hard to set an appropriate control on user profiles that can guarantee the veracity of  the associated identities completely…scammers are aware of this and take advantage accordingly.  One of the most common techniques used by attackers is the generation of fake profiles.  These profiles can be of celebrities, of spoofed known professionals, or wholly fake identities set up to model a profile designed to be attractive to a certain kind of victim.  Fake profiles can be used for many purposes including the monitoring of users of a certain type, for revenge and for engaging in nefarious businesses of all kinds.

Fake profiles temp users to read malicious content posted on the message walls and in the e-mails used for communication.  Once users visit such profiles, embedded malicious codes start infecting the users with malicious executables.  One infected node (user) can unwittingly infect all her contacts on the network.  From a security perspective, this is a clear case of fraud based on identify assumption, identity fabrication, or identify theft and the type of information present in fake profiles runs the gamut for use in a wide range of scams.  It’s a sad fact that such scams are virtually uncontrollable by the social networks themselves.  The users of every social networking site have fallen victim to such profiles so no network is immune; this is because it’s so hard to restrict the actions of users based simply on information contained in their network profiles.

A spammer might set up a fake e-mail directing a user to a fake profile that uses hyperlinks to redirect the user to a malicious domain.  The rogue profile temps users to visit the domain by presenting them with an attractive link reading, “Click here to view a statement by [the name of a known person].”  Clicking on the link will open the fake statement and download malware used to control the user’s machine.

–Professionals using on-line social networking should educate themselves as to the nature of the malware they can encounter specifically in the form of fake profiles and phishing e-mails.  Collaborate with your fellow professionals and share information about the exploits you’ve experienced or read about.

–Users should secure their browsers by installing appropriate client-side filters, such as NoScript in Mozilla, to nullify the type of malicious scripts that render in browsers.  In short, choose the client side filters that are appropriate for your browser type.

–Don’t click on suspicious hyperlinks. Carefully scrutinize the origin of hyperlinks on professional social network profiles to avoid traps; if you aren’t fully comfortable with a hyperlink, don’t click on it.

–Configure your professional profile by applying the appropriate restrictions provided by standard social networking websites to protect privacy; all the sites have such restrictions…review them and use them.

–Report all suspicious profiles,  messages and e-mails directly to the security team of the professional network you’re using.  This can help administrators apply filters to prevent the affiliated scams.

–Install anti-virus software and keep your operating system patches up-to-date.

The professional networking sites we use represent a virtualized world that can be of great value to us in our careers; the aim of malware is to infect users and steal information.  User ignorance is a big factor in the spread of malware and we all have a responsibility as we enjoy the benefits of professional social networks to keep ourselves and our colleagues as safe as we can

The Elements of Identity Theft – Pod Cast

Anyone, and increasingly any business, can be a victim of identity theft; and it can happen easily. The high rate of occurrence necessitates that Fraud Examiners and the organizations they serve, whether private or public, review security management practices to address this seemingly ever increasing threat.

The use of the victim’s information for financial gain is a material threat, both the individual whose information is stolen and to the custodian institution which is the source of the information. The information used to perpetrate identity theft is a tool that can positively identify the victim. To recommend effective internal and external controls to curb this threat, Fraud Examiners and auditors need to better understand how the criminal uses stolen information to succeed.

Today, it is virtually impossible to conduct any type of financial transaction without collecting and storing personal information (PI). If PI falls into the hands of criminals, it confers on them the ability to impersonate the victim and to represent themselves to banks and other entities as the victim.

Identity theft can be divided into two general categories based on the types of perpetrators involved; internal employees who have access to PI as part of their job duties and professional criminals outside the target organization.

The following pod cast is made available to assist Fraud Examiners in building an understanding of this type of crime and to provide tools to assist their client organizations to identify and implement the categories  of internal controls which can go a long way toward preventing it.

The Elements of Identity Theft – Pod Cast