Prosecution of Medicare Cyber Fraud: Part VII of Series

Original story posted on: July 19, 2017

EDITOR'S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the seventh installment in the series.

Cybercrime is on everyone’s minds these days, even when there is a Medicare fraud takedown like the one we just saw in response to the opioid epidemic. We would be hard-pressed to identify a contemporary case without cyber evidence. There always are things left behind – electronic footprints – that become an integral part of a case.

In order for our government to search a computer system as part of a criminal investigation, a court order or warrant must be obtained. It is a question of privacy. The protections afforded by the Fourth Amendment apply to computer disk drives in the same way they applied to the homes of the Hessians during the Revolutionary War.

But is that the case for Medicare fraud? Are healthcare claims records private? Generally, the answer is “no.” Why?

The standard that protects the citizenry from improper government surveillance and data searches is “the expectation of privacy.”

This is a loosely defined term, applicable in a number of situations. But when a provider submits its claims to get paid and these claims find their way into the information systems of Medicare, the data becomes government property. So, there is no expectation of privacy for Medicare claims data. That means that anything a provider does automatically is open for inspection.

Not only does all Medicare claims data become available for snooping once it leaves your information system, but when you recheck your contract with the government, you will see that  you have already signed away your rights. Absolutely nothing you do can be confidential, as far as the government is concerned.

Sophisticated algorithms and big-data techniques are used to find outliers to be targeted. For example, the recent U.S. Department of Justice (DOJ) takedown started when the government analyzed all prescriptions written for opioids. It then is a minor matter to identify those providers associated with the highest number of opioid claims.

Hacking Changes the Balance of Power

Today’s hacking epidemic is changing the healthcare environment and twisting inside-out the world of cyber prosecution. We know, for example, that malware viruses can be altered so that they look like they are coming from somewhere else. U.S. malware can be dressed up as Russian malware, or Chinese malware can be made to look like it originated in the United States.

What are the practical implications of this? For one thing, it makes it more difficult to definitively pin the blame on any particular party. This called the attribution problem. Much of the fraud also takes place behind the computer security systems designed to protect. Instead, they shelter.

In Medicare, we have a similar situation. Hackers can steal information, but they also can alter it.

We likely will see the day when the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) goes after a provider, claiming massive amounts of computer fraud, and the defense will be not that the accused didn’t do it, but that someone else did by hijacking their information system.

If this begins to happen, then there is risk that prosecutions will be thrown into chaos.

Here is the guiding question: Even if the filed claims in question originated from your system, can you be 100 percent sure they all are yours?  The answer is “no.”

The reality is this: There is no healthcare provider than can be completely sure every claim they submit truly originated in their system. And no prosecutor can be sure either. 

Edward Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

This email address is being protected from spambots. You need JavaScript enabled to view it.

Related Articles

  • The Big Apple's Cyber Nightmare
    Failure to integrate information systems leaves New Yorkers seeking COVID-19 vaccination out of luck. EDITOR’S NOTE: This is the first in a series of articles called “Cyber Watch,” produced by RACmonitor and authored by Edward Roche. New York City is…
  • The Eagle Has Landed . . . Finally!
    The Impact of the 2021 RBRVS changes. Happy New Year! And along with all the wishes for a happy, healthy, and prosperous 2021 is my praise to the Centers for Medicare & Medicaid Services (CMS) for (finally) giving us some…
  • Philip Esformes Has Sentence Commuted
    I have written four previous articles on Philip Esformes, who was sentenced to 20 years in federal prison for a truly infamous scheme to defraud Medicare out of millions of dollars. He bribed doctors and other providers of care to…