Prosecution of Medicare Cyber Fraud: Part VII of Series

Original story posted on: July 19, 2017

EDITOR'S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the seventh installment in the series.

Cybercrime is on everyone’s minds these days, even when there is a Medicare fraud takedown like the one we just saw in response to the opioid epidemic. We would be hard-pressed to identify a contemporary case without cyber evidence. There always are things left behind – electronic footprints – that become an integral part of a case.

In order for our government to search a computer system as part of a criminal investigation, a court order or warrant must be obtained. It is a question of privacy. The protections afforded by the Fourth Amendment apply to computer disk drives in the same way they applied to the homes of the Hessians during the Revolutionary War.

But is that the case for Medicare fraud? Are healthcare claims records private? Generally, the answer is “no.” Why?

The standard that protects the citizenry from improper government surveillance and data searches is “the expectation of privacy.”

This is a loosely defined term, applicable in a number of situations. But when a provider submits its claims to get paid and these claims find their way into the information systems of Medicare, the data becomes government property. So, there is no expectation of privacy for Medicare claims data. That means that anything a provider does automatically is open for inspection.

Not only does all Medicare claims data become available for snooping once it leaves your information system, but when you recheck your contract with the government, you will see that  you have already signed away your rights. Absolutely nothing you do can be confidential, as far as the government is concerned.

Sophisticated algorithms and big-data techniques are used to find outliers to be targeted. For example, the recent U.S. Department of Justice (DOJ) takedown started when the government analyzed all prescriptions written for opioids. It then is a minor matter to identify those providers associated with the highest number of opioid claims.

Hacking Changes the Balance of Power

Today’s hacking epidemic is changing the healthcare environment and twisting inside-out the world of cyber prosecution. We know, for example, that malware viruses can be altered so that they look like they are coming from somewhere else. U.S. malware can be dressed up as Russian malware, or Chinese malware can be made to look like it originated in the United States.

What are the practical implications of this? For one thing, it makes it more difficult to definitively pin the blame on any particular party. This called the attribution problem. Much of the fraud also takes place behind the computer security systems designed to protect. Instead, they shelter.

In Medicare, we have a similar situation. Hackers can steal information, but they also can alter it.

We likely will see the day when the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) goes after a provider, claiming massive amounts of computer fraud, and the defense will be not that the accused didn’t do it, but that someone else did by hijacking their information system.

If this begins to happen, then there is risk that prosecutions will be thrown into chaos.

Here is the guiding question: Even if the filed claims in question originated from your system, can you be 100 percent sure they all are yours?  The answer is “no.”

The reality is this: There is no healthcare provider than can be completely sure every claim they submit truly originated in their system. And no prosecutor can be sure either. 

Edward Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

This email address is being protected from spambots. You need JavaScript enabled to view it.

Related Articles

  • The Risk of Rushing to Refund
    Refund only after careful thought. The risk of rushing to refund: not only is it alliterative, it is real. The proper desire to be compliant can prompt a hasty decision to return money to the government. While it is both…
  • The Unfair Advantage of Medicare Advantage Plans
    Medicare Advantage plans appear to be following their own rules. Many of the national Medicare Advantage (MA) plans are misusing commercial guidelines and making up their own rules, as they see fit, in order to avoid paying hospitals equitably for…
  • Low Income Pool Audits – A Florida Hospital Faces Disaster - More May Be Hit
    The Low Income Pool or “LIP” is a funding pool designed to support health care providers that provide uncompensated care to Florida residents who are uninsured or underinsured.  There are multiple states with similar programs. CMS approved the LIP in…