Another healthcare provider has pleaded guilty to Medicaid fraud.
The North Carolina Department of Justice reports that Dr. Francis Bald, a North Carolina dentist, has pleaded guilty to charges related to falsely billing Medicaid for dental and oral surgery services. The fraud was uncovered by an observant patient who read his Explanation of Benefits (EOB) statement and called the state to report that the dentist had billed for services the patient had never received.
Dr. Bald was one of nine North Carolina health care providers arrested last December as part of a sweep by the Attorney General’s Medicaid Investigations Division. Six of the other providers arrested pleaded guilty earlier this year.
Are patient records altered to support fraudulent billing?
When healthcare providers are attempting to defraud Medicaid, they could (theoretically) just submit bills to Medicaid without altering the patient’s chart or medical records. Then again, they might decide to create a paper trail by altering the patient’s medical records to support the fraudulent claims. And if that they do that, there is a health and safety risk to the patients whose records have been altered.
So I looked for additional information on NCDOJ’s site for the cases charged, and there was no reference as to whether patients’ records were altered. Nor was there information on 20 other cases involving healthcare providers who had been charged in 2011.
I contacted Noelle Talley, the Public Information Officer for the NCDOJ and put the question to her. Ms. Talley replied that the North Carolina Medicaid Investigations Division has seen both types of cases: cases where patient records were not tampered with to support claims for fraudulent reimbursement and cases where they were. She was unable to provide any estimate of the proportion of cases that involved alteration of patients’ medical records.
Insider cases for tax refund fraud and Medicaid fraud are under-represented in research on breaches and ID theft
I recently noted my concern that the newest Ponemon survey might not be a representative sample of medical ID theft victims as their sample did not appear to include those whose patient information was stolen for tax refund fraud or misused for Medicaid fraud.
When patients’ information is stolen for tax refund fraud, it can still be considered medical ID theft but the patients’ medical care is usually not compromised or put at risk. When it’s a healthcare provider defrauding Medicaid, patients’ health and safety is at risk. Fraudulent claims to Medicaid might result in the patient being denied certain treatments or services should they really need them. As seriously or worse, misinformation inserted in the patient’s medical record to support fraudulent billing might lead to misdiagnosis or mistreatment by another provider or hospital. Although some respondents in the Ponemon survey reported such problems, the survey had no way to verify whether the problems the respondents reported really were causally related to medical ID theft.
To date, I am not aware of any major organization or research institute that has really obtained some statistics as to how often patient data are stolen for tax refund fraud and how often patient records are altered to support Medicaid fraud. If you know of any resources or stats on this, please let me know, although based on the Ponemon findings, any estimate we get is likely to be a significant underestimate as only half of their respondents even reported becoming victims of medical ID theft.
The biggest risks to healthcare providers are POS hacks? Really?
It’s not just the Ponemon survey I have concerns about in terms of sample representativeness. Verizon’s DBIR “snapshot of the healthcare sector” also left me muttering to myself. Their snapshot was based on 60 cases where data compromise had been confirmed. They report:
For those Healthcare organizations included within the DBIR data set, attacks were almost entirely the work of financially-motivated organized criminal groups acting deliberately and maliciously to steal information. These groups are notorious for knocking over smaller, low-risk targets in droves to nab personal and payment data for various and sundry fraud schemes. Insider jobs proved much less frequent, but they can’t be ignored. When employees do go rogue, their ready access to and knowledge of information assets means they can do quite a bit of damage without expending a lot of effort.
Among public disclosures in the Healthcare sector, the external/ internal split is much more balanced. This, however, is largely due to lost laptops and other devices, which expose data and therefore must be reported (these are classified as internal error in VERIS). Examining public breaches with characteristics more in line with what typically winds up in the DBIR (i.e., incidents that require external forensics or law enforcement investigation) yields threat agent ratios that more closely resemble those found in Figure 1.
Their Figure 1 shows 95% of the breaches were external and (only) 5% were internal. Analyzing the subset of breaches that meet their inclusion criteria, they report that 93% of breaches in the healthcare sector involved hacking and 93% involved malware. Strikingly, almost two-thirds of the incidents in their analysis involved compromising or hacking the healthcare facility’s or provider’s POS terminal.
While I do not doubt their analyses and their recommendations make good sense, relying primarily on HHS’s public breach tool and drilling down into that may significantly underestimate the prevalence of insider incidents with confirmed data compromise. I base that on two observation. First: I have covered numerous cases on this blog involving the theft of patient information for tax refund fraud. Less than a handful of those cases have ever shown up in HHS’s breach list. Second: none of the cases involving healthcare provider Medicaid fraud seem to be included in HHS’s public breach list (probably because the provider doesn’t report the breach and law enforcement doesn’t report the breach to HHS, either). So although DBIR appropriately recognizes tax refund fraud incidents as insider cases that should be included (although such cases generally involve external criminal gangs as well), DBIR’s picture of external vs. internal threats still seems off based on what I read every day in my news searching and the breaches I cover on PHIprivacy.net.
We.Need.More.Data.
Not only do we need to start including more incidents where patient data has been stolen by insiders for tax refund fraud schemes, but we also need to start locating and including cases where patients have their data misused by healthcare providers for Medicaid fraud and/or altered to support Medicaid fraud. Without such data, I think we will continue to underestimate the insider threat in the healthcare sector.
According to HHS, Medicaid Fraud Control Units (MFCUs) operate in 49 States and in the District of Columbia. Forty-four of the MFCUs are located as part of Offices of State Attorneys General; the remaining 6 are in other State agencies.
So… can we get more data on these insider threats? Do the MFCUs inquire about whether medical records are actually altered and keep track of such instances so that we can obtain information under Freedom of Information requests? It’s time for me/us to find out, I think.