Tag Archives: identity theft

Program Integrity Federalism

Posted by on July 15, 2019 Comments Off on Program Integrity Federalism

From time to time someone among our newer Chapter members working in the insurance industry reports confronting instances of Medicaid and Medicare fraud for the first time. I thought it might be helpful to present some of the more common health care fraud scenarios that beginning fraud examiners are likely to confront in actual practice in the governmental health care space.

Abuses of the Medicaid and Medicare programs exist in myriad shapes and sizes and continue to evolve constantly. While Medicaid and Medicare fraud, waste and abuse appear to be the most egregious program issues, incidental and accidental waste also threaten program integrity, including outright criminal exploitation of governmental health care payments. Altogether, the overpayment of Medicaid and Medicare dollars represents the largest portion of misused government money, accounting for 59 percent of the $102.2 billion the government improperly distributed among all its agencies in 2017 (ACFE). Issues involving these exorbitantly expensive improper payments can be attributed, in part, to the complexities of the programs themselves and to ever-changing policies among the various states.

It’s important for new anti-fraud practitioners to be aware that while Medicaid and Medicare are considered universal programs, each state is able to operate its own version of the programs autonomously and independent of any collective standard. This autonomy creates wide-ranging policy inconsistencies due to the differences among states, and, in many ways, embodies the ideals of American federalism. How states administer programs like Medicaid and Medicare is largely influenced by the bureaucratic style employed by the state legislature. These variations and inconsistencies can facilitate inaccuracies and misunderstandings in every aspect of both programs, from recipient eligibility, billing protocols, coding standards and licensure requirements. Doctors offering Medicaid or Medicare services are not easily able to transfer their practices from one state to another without first exploring expectations and requirements of the new state. These hard state boundaries create the potential for provider, beneficiary and administrative confusion, which ultimately equates to billions of program dollars misappropriated each year.

Beyond the innocent misappropriation of program dollars are the much more serious problems with the Medicaid and Medicare programs manifesting in the form of illicit and purposeful instances of fraud, waste and abuse perpetrated by recipients and providers. Medicaid and Medicare identity theft (instances of which have been recently investigated by one of our Chapter members) much like general identify theft, has continually resurfaced as a bane since the programs’ inception. It is estimated that three percent of $50 billion of the nation’s annual identity theft losses is associated with some type of medical identity theft. Because of their likelihood of being enrolled in government-facilitated insurance programs like Medicare or Medicaid, individuals aged 50 or older are most likely to fall victim to this type of identity theft. Fraudsters steal these identities to access services, such as prescriptions for drugs with high black-market value i.e. OxyContin, Fentanyl and Morphine, intended for legally enrolled, authorized recipients. Once the prescription is obtained, the thieves sell the drugs for cash or abuse them themselves.

A similar identity theft scheme involves the sale of durable medical equipment prescribed to recipients. By stealing a beneficiary’s Medicaid or Medicare number, the perpetrator can place orders for equipment i.e. slings or braces, all paid for through program dollars, and re-sell the goods online or via newspaper classifieds for cash.

Physicians participating in the Medicaid and Medicare programs also have access to a wide range of possible fraud, waste and abuse schemes. Double billing is a common provider fraud scheme that involves the submission of duplicate claims to Medicaid or Medicare in an attempt to receive double the amount of payment for services that were only provided once. Those physicians wise to the high detectability of billing duplicate claims to either program via simple data analysis will also often send one bill to a private insurance company and a duplicate bill to Medicaid or Medicare so that the duplication does not appear within one data set. Other fraud schemes include up-coding bills to Medicare or Medicaid to represent more complex, lengthy or in-depth procedures when a simpler or lower-level service was actually provided or performed.

Usually, complex procedures are paid at a higher dollar amount than their simpler counterparts, which leads providers to be paid more money than what they actually earned during the office visit or procedure. This fraud scheme takes advantage of small but specific variations in the current procedural terminology (CPT) coding system standardized for both Medicaid and Medicare coverage. Similar to up-coding is the fraudulent unbundling of CPT codes billed as individual entities that per regulation should be grouped together and billed under one umbrella code. Usually, the umbrella code pays a discounted rate for all the services combined. Each individual code gets paid an amount that, when totaled together, equals more than what the umbrella code pays.

Dishonest Medicaid and Medicare providers also bill for services that are not medically necessary. In this scheme, providers perform and bill for services and/or testing beyond what patient need requires. Under this scheme, hospital stays are lengthened, additional diagnostic testing is ordered, entitled hospice enrollment is invoked too early, and equipment and tools are wasted for beneficiaries who really require less care and fewer services. This fraud scheme not only wastes program dollars but also strains other areas of the general healthcare system by inducing and allowing individuals to linger, thus monopolizing unnecessary services and care that could be better applied to other more worthy beneficiaries. But please be aware, while Federal regulation does not contain a definition of medical necessity, states are granted authority to develop and apply medical necessity criteria as they see fit. Providing and billing for services beyond the required needs of the beneficiary may be intentional and/or fraudulent, but because of differing state criteria, instances where unnecessary services are provided and billed may also be simply accidental or well-intentioned.

Anti-fraud professionals of all kinds should also bear in mind that, while Medical identity theft, double billing, up-coding, unbundling and billing for services not medically necessary represent only a portion of the known problems and schemes that weaken the Medicaid and Medicare programs, there are many other types of program fraud, waste and abuse occurring on a daily basis that have yet to be discovered; in this area of practice, expect the unexpected. According to the ACFE, in the past 27 years the Federal government has recovered approximately $24 billion in settlements or judgments against individuals and organizations who committed both accidental and purposeful healthcare fraud, waste and abuse.

On a state level, another $15 billion has been recouped from criminal fines and civil settlements resulting from the prosecution of healthcare fraudsters. While the $39 billion in recovered overpayments from the last 27 years is only enough to cover a small percentage of one year’s total program costs, the amount of overpayment dollars recovered each year by the Federal and state governments is growing exponentially. On average only about $1.4 billion in overpayments was recovered during that time period. However, in 2016 alone, $3.1 billion in healthcare fraud judgments and settlements was recovered by the Federal government. As Medicaid and Medicare fraud, waste and abuse schemes and problems become more prevalent their financial toll increases. Federal and state governments are also detecting and reclaiming money back on a larger scale. This increase can be attributed to developments in policy created to prevent and identify fraud, increased investigative and program integrity funding, and technological improvements in fraud detection programs, databases and software; Certified Fraud Examiners (CFE’s) will increasingly find themselves at the forefront of the effort to strengthen health care program integrity at the Federal level and within each state.

Volunteering for Fraud

Posted by on July 20, 2016 Comments Off on Volunteering for Fraud

identity-theftOur Chapter has a member who has just completed work on an interesting identity theft case.  It seems the victim provided various items of highly specific, identifiable personal information to a local, specialty retailer in exchange for a verbal agreement to provide a discount card and store credit.  Whether the information was subsequently hacked or just carelessly shared, sold or handled by the retailer is still unclear but what is certain is that this identical information was used by fraudsters, with other meta data, to build two different, highly credible, loan applications, one of which was approved by a financial institution.

Our member’s case is an example of the all too real risk posed by voluntarily shared information. In our desire to use services of various kinds – for efficiency, productivity, profit or just for fun – we all seem to find ourselves agreeing to terms and conditions that we may not even see or read or, if we read them, not fully comprehend. A moments reflection would lead any knowledgeable auditor to the conclusion that this amounts to contractual sharing of data even though the “contract” might not even refer to any direct exchange for consideration between the company and the patron, but rather is just for the use of the offeror’s infrastructure; this practice results in trillions of elements of data that the owner of the infrastructure controls, aggregates and uses for its own economic gain.  While simple transactional data associated with the payment process have a definite cycle, voluntarily supplied personal data becomes perpetual. The intentions behind the former are usually tacitly articulated and apply within the realm of the specific payment arrangements between the agreeing parties. In contrast, voluntarily supplied personal data are generally timeless, can be “sliced and diced” using data mining, and can be further masked and shared for the economic gain of the infrastructure owner and of its business partners and, possibly, its customers.

We can think of data volunteerism as the act of volunteering personal information on the part of a user when, in fact, that user might not necessarily want or mean to do so. It’s not so much consent to share personal data, but rather lack of dissent in sharing data. Passivity or inertia on the part of the personal data sharer plays an important role in one’s attraction to data volunteerism. Immediate perceived benefits of seeking the offered services and, thus, benefiting from them, outweigh anything that the user vaguely understands as the costs of doing so under the service provider’s terms and conditions agreed to by the user.

Before clicking the “I agree” button on an agreement of use, how often have we all paused and analyzed the contents of the agreement? Such agreements are generally long, filled with legalese and we feel like we’re wasting time in getting to the services provided by that company or app that just popped the agreement on our screen. According to ACFE, under the prospect theory of decision-making behavior, losses are weighted more heavily than gains. And now here we are, delaying the immediate gratification of using some cool phone service. And so we all fall into the vulnerability of allowing an apparently harmless verbal or written agreement stand in the way of doing something we want to do right now. As with the case of our member’s client, people willingly share personal information when they are nudged by a sales clerk or by a new app on their phone to do so. The perceived immediate benefits seem to outweigh any remotely noticed costs of volunteering the information.

All of this has broad implications for fraud examination and for law enforcement.  Every non-cash payment transaction involves the exchange of personal identifying information on some level.   Bank checks, written contracts, account passwords, phone numbers and a host of other identifying information are both the life blood of the financial system and the continuous targets of every type of thief.  Nothing financial happens until personal data are exchanged and the more aggregated elements of data fraudsters have about anyone at their command the easier their job becomes.

As fraud examiners we should strive to make our clients aware of the general ground rules for the sharing of personal data propagated by the ACFE and others:

  1. The giver must have knowingly consented to the collection, use or disclosure of personal information.
  2. Consent must be obtained in a meaningful way, generally requiring that organizations communicate the purposes for collection, so that the giver will reasonably know and understand how the information will be collected, used or disclosed.
  3. Organizations must create a higher threshold for consent by contemplating different forms of consent depending on the nature of information and its sensitivity.
  4. In a giver-receiver relationship, consent is dynamic and ongoing. It is implied all the time that the giver grants the privilege of use to the information receiver and that the privilege is only good as long as the giver’s consent is not withdrawn.
  5. The receiver has a duty to adequately safeguard the personal data entrusted to it.

A legal definition of consent is hard to find. The common law context suggests that consent is a “freely given agreement.” An agreement, contractual or by choice, implies a particular aim or object. While it is clear that the force of laws and regulations is necessary, in the end, what equally matters is the behavior of the user. Concepts and paradigms such as bounded rationality and prospect theory point to the vulnerability of human users in exercising consent. If that is where the failure occurs, privacy issues will only propagate, not get better. Finally, remember that privacy solutions embedded in the technology to empower users to protect their privacy are only as good as the motivation, knowledge and determination of the user.

As fraud examiners and assurance professionals we have to face the fact that not all our user/clients are equally technology savvy; not all users consider it worth their time to navigate through privacy monitors in a retail store or in an on-line app to feel safe. And generally, all users, indeed all of us, are creatures of bounded rationality.

Costs of cyber crime in 2015 were an estimated US $1.52 billion in the US alone and US $221 billion globally. These criminals find a bonanza if they can successfully perpetrate a data breach in which they break into a system and/or database to steal personally identifiable information (e.g., addresses, social security numbers, financial account numbers), or better yet, data on credit/debit cards.

Data volunteerism nudges people to share more and more personal information. This results in a huge pool of data across companies and institutions. If hard surveillance, such as the use of a camera watching over a parking lot, is concretely vivid, soft surveillance remains buried in the technology, allowing it to work freely on available data and metadata. As this use of data by app providers and others becomes wider and stronger and related frauds proliferate, the public could lose trust in these providers and the loss of trust would translate into loss of sales for the provider. The best way for CFE’s to address these issues for all stakeholders is through client education on the ACFE’s ground rules for self-protection in the sharing of personal information.

Basic Fraud Schemes Targeting Government Health Care Programs

Posted by on August 17, 2015 Comments Off on Basic Fraud Schemes Targeting Government Health Care Programs

MedicalSome of our newer Chapter members working in the insurance industry report confronting instances of Medicaid and Medicare fraud for the first time.  I thought it might be helpful to present some of the more common health care fraud scenarios that beginning fraud examiners are likely to confront in actual practice in the governmental health care space.  Abuses of the Medicaid and Medicare programs exist in myriad shapes and sizes and continue to evolve constantly. While Medicaid and Medicare fraud, waste and abuse appear to be the most egregious program issues, incidental and accidental waste also threaten program integrity, including outright criminal exploitation of governmental health care payments. Altogether, the overpayment of Medicaid and Medicare dollars represents the largest portion of misused government money, accounting for 59 percent of the $102.2 billion the government improperly distributed among all its agencies in 2014 (ACFE). Issues involving these exorbitantly expensive improper payments can be attributed, in part, to the complexities of the programs themselves and to ever-changing policies among the various states.

It’s important for new anti-fraud practitioners to remember that while Medicaid and Medicare are considered universal programs, each state is able to operate its own version of the programs autonomously and independent of any collective standard. This autonomy creates wide-ranging policy inconsistencies due to the differences among states, and, in many ways, embodies the ideals of American federalism. How states administer programs like Medicaid and Medicare is largely influenced by the bureaucratic style employed by the state legislature. These variations and inconsistencies can facilitate inaccuracies and misunderstandings in every aspect of both programs, from recipient eligibility, billing protocols, coding standards and licensure requirements. Doctors offering Medicaid or Medicare services are not easily able to transfer their practices from one state to another without first exploring expectations and requirements of the new state. These hard state boundaries create the potential for provider, beneficiary and administrative confusion, which ultimately equates to billions of program dollars misappropriated each year.

Beyond the innocent misappropriation of program dollars are the much more serious problems with the Medicaid and Medicare programs manifesting in the form of illicit and purposeful instances of fraud, waste and abuse perpetrated by recipients and providers. Medicaid and Medicare identity theft (instances of which have been recently investigated by one of our Chapter members) much like general identify theft, has continually resurfaced as a bane since both programs’ inception. It is estimated that three percent of $50 billion of the nation’s annual identity theft losses is associated with some type of medical identity theft. Because of their likelihood of being enrolled in government-facilitated insurance programs like Medicare or Medicaid, individuals aged 50 or older are most likely to fall victim to this type of identity theft. Fraudsters steal these identities to access services, such as prescriptions for drugs with high black-market value i.e. OxyContin, Fentanyl and morphine, intended for legally enrolled, authorized recipients. Once the prescription is obtained, the thieves sell the drugs for cash or abuse them themselves.

A similar identity theft scheme involves the sale of durable medical equipment prescribed to recipients. By stealing a beneficiary’s Medicaid or Medicare number, the perpetrator can place orders for equipment i.e. slings or braces, all paid for through program dollars, and re-sell the goods online or via newspaper classifieds for cash.

Physicians participating in the Medicaid and Medicare programs also have access to a wide range of possible fraud, waste and abuse schemes. Double billing is a common provider fraud scheme that involves the submission of duplicate claims to Medicaid or Medicare in an attempt to receive double the amount of payment for services that were only provided once. Those physicians wise to the high detectability of billing duplicate claims to either program via simple data analysis will also often send one bill to a private insurance company and a duplicate bill to Medicaid or Medicare so that the duplication does not appear within one data set.  Other fraud schemes include up-coding bills to Medicare or Medicaid to represent more complex, lengthy or in-depth procedures when a simpler or lower-level service was actually provided or performed.

Usually, complex procedures are paid at a higher dollar amount than their simpler counterparts, which leads providers to be paid more money than what they actually earned during the office visit or procedure. This fraud scheme takes advantage of small but specific variations in the current procedural terminology (CPT) coding system standardized for both Medicaid and Medicare coverage.  Similar to up-coding is the fraudulent unbundling of CPT codes billed as individual entities that per regulation should be grouped together and billed under one umbrella code. Usually, the umbrella code pays a discounted rate for all the services combined. Each individual code gets paid an amount that, when totaled together, equals more than what the umbrella code pays.

Dishonest Medicaid and Medicare providers also bill for services that are not medically necessary. In this scheme, providers perform and bill for services and/or testing beyond what the patient need requires. Under this scheme, hospital stays are lengthened, additional diagnostic testing is ordered, entitled hospice enrollment is invoked too early, and equipment and tools are wasted for beneficiaries who really require less care and fewer services. This fraud scheme not only wastes program dollars but also strains other areas of the general healthcare system by inducing and allowing individuals to linger, thus monopolizing unnecessary services and care that could be better applied to other, more worthy, beneficiaries.  But please be aware … while Federal regulation does not contain a definition of medical necessity, states are granted authority to develop and apply medical necessity criteria as they see fit. Providing and billing for services beyond the required needs of the beneficiary may be intentional and/or fraudulent, but because of differing state criteria, instances where unnecessary services are provided and billed may also be simply accidental or well-intentioned.

Anti-fraud professionals of all kinds should also bear in mind that, while Medical identity theft, double billing, up-coding, unbundling and billing for services not medically necessary represent only a portion of the known problems and schemes that weaken the Medicaid and Medicare programs, there are many other types of program fraud, waste and abuse occurring on a daily basis that have yet to be discovered; in this area of practice, expect the unexpected.

According to the ACFE, in the past 27 years the Federal government has recovered approximately $24 billion in settlements or judgments against individuals and organizations who committed both accidental and purposeful healthcare fraud, waste and abuse. On a state level, another $15 billion has been recouped from criminal fines and civil settlements resulting from the prosecution of healthcare fraudsters.  While the $39 billion in recovered overpayments from the last 27 years is only enough to cover a small percentage of one year’s total program costs, the amount of overpayment dollars recovered each year by the Federal and state governments is growing exponentially.  On average only about $1.4 billion in overpayments was recovered during that time period. However, in 2013 alone, $3.1 billion in healthcare fraud judgments and settlements was recovered by the Federal government. As Medicaid and Medicare fraud, waste and abuse schemes and problems become more prevalent and their financial toll increases. Federal and state governments are also detecting and reclaiming money back on a larger scale. This increase can be attributed to developments in policy created to prevent and identify fraud, increased investigative and program integrity funding, and technological improvements in fraud detection programs, databases and software;  Certified Fraud Examiners (CFE’s) are at the forefront of all these efforts to strengthen health care program integrity at the Federal level and nationwide.

The Classification of Cyber-Crime

Posted by on February 17, 2014 Comments Off on The Classification of Cyber-Crime

banner

books-6The Central Virginia Chapter of Certified Fraud Examiners (RVACFES), in cooperation with our venue partner the Virginia State Police, is initiating a series of quarterly luncheon meetings for our Chapter members and guests on various cutting edge fraud investigation topics.  We’re hoping to have the first such meeting in May or June, 2014 on the topic of cyber crime and its investigation.  To set the stage for the meeting, I thought I’d do a short post on the classification of the various types of cyber crime that a fraud examiner new to the profession might expect to encounter in actual practice.  As computer assisted crimes have escalated exponentially over the last year,  every fraud examiner needs to be aware of the risks associated with cyber crime perpetrated against a client entity of interest, and especially of those perpetrated using the entity’s own systems (as in the recent Target case).

Computer intrusion schemes.  These types of schemes include cyber-crimes or preparatory exploits perpetrated against an entity resulting, directly or indirectly,  in a quantifiable loss from an illegal or unethical act.  The area of concern most in the news of late is industrial espionage featuring the theft of customer, financial or intellectual property related data.  Some countries seem to support its citizens engaging in this type of hacking related activity against entities in other countries and some governments engage in espionage directly for what appears to be a whole host of different reasons.   Entities subject to this risk (and areas of related concern) include among others, national retail chains, aeronautics firms, space systems, armaments, energetic materials, chemical systems, biologic systems, kinetic energy systems and enterprises engaged in weapons countermeasures.  Other areas of computer intrusion include unauthorized access to information or data from an entity’s own computer systems, infecting computers with viruses and other forms of malware and infrastructure attacks such as denials of service.

–Intellectual property rights.  Intellectual property is increasingly available by electronic means, e.g., copyrighted books or materials that have been digitized.  An example of a cyber-crime involving intellectual property is the illegal use or duplication of software.  Differing international laws and customs complicate this issue; many copyright laws protect software products in one country, but not in another.  Cyber attacks originating from outside the target country are difficult to prosecute if the countries involved don’t have similar laws.

Credit card fraud.  The Association of Certified Fraud Examiners reports that some criminals, who formerly would not have been criminals or would have been traditional street criminals (engaged in localized drug sales, extortion or loan sharking), are taking advantage of readily available hacking software tools for sale on the internet, to engage in credit card theft targeting big name retailers as a means of simply earning a living.  Organized crime world-wide is increasingly turning to cyber-crime, including credit card and identity theft, online gambling, online extortion, online narcotic sales and cyber terrorism as opposed to the street basedactivities associated with the organized crime of the past.

Identity theft.  This is the cyber crime most familiar to the general public because it’s the most reported on in every category of media.  It includes the ubiquitous phishing schemes targeting every e-mail user and in every endless variation whose goal is to steal someone’s identity for the purpose of gaining unauthorized access to credit or financial assets.  I dare say every one of the readers of this blog has received a phishing e-mail in the last week.  In addition, every one of your corporate clients entities can have its identity stolen by web-site hijacking.  Cyber criminals spoof the company website of a real enterprise and using e-mail or other means, drive customers and others to the phony website where the cyber criminals captures personal and private information.

Money laundering.  Banks and certain other financial institutions have to file suspicious activity reports (SAR’s) for identified suspicious activities, originally as a result of terrorist attacks and related, subsequently imposed regulations.  Many of the identified activities that turn into Federal investigations deal with money laundering.  Money laundering  doesn’t necessarily involve computers but wire transfers are used constantly to facilitate these types of schemes.  Areas of concern include offshore money-laundering web sites, illegal or unauthorized wire transfers and similar activities.

Every fraud examiner needs to be aware of the possible cyber-crime scenarios  relevant to the fraud scheme(s) involved in whatever examination she’s currently conducting or is being asked to conduct—increasingly, investigative skills related to cyber schemes will constitute a substantial percentage of the foundation for modern fraud examination.  The specific risks and applicable cyber-crimes can be expected to vary from examination to examination but the necessity for a general knowledge of cyber-crime and how to investigate it can be expected pose an increasing challenge for the conduct of any thorough fraud examination.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the Topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

The Elements of Identity Theft – Pod Cast

Posted by on May 17, 2012 Comments Off on The Elements of Identity Theft – Pod Cast

Anyone, and increasingly any business, can be a victim of identity theft; and it can happen easily. The high rate of occurrence necessitates that Fraud Examiners and the organizations they serve, whether private or public, review security management practices to address this seemingly ever increasing threat.

The use of the victim’s information for financial gain is a material threat, both the individual whose information is stolen and to the custodian institution which is the source of the information. The information used to perpetrate identity theft is a tool that can positively identify the victim. To recommend effective internal and external controls to curb this threat, Fraud Examiners and auditors need to better understand how the criminal uses stolen information to succeed.

Today, it is virtually impossible to conduct any type of financial transaction without collecting and storing personal information (PI). If PI falls into the hands of criminals, it confers on them the ability to impersonate the victim and to represent themselves to banks and other entities as the victim.

Identity theft can be divided into two general categories based on the types of perpetrators involved; internal employees who have access to PI as part of their job duties and professional criminals outside the target organization.

The following pod cast is made available to assist Fraud Examiners in building an understanding of this type of crime and to provide tools to assist their client organizations to identify and implement the categories  of internal controls which can go a long way toward preventing it.

The Elements of Identity Theft – Pod Cast