Prosecution of Medicare Cyber Fraud: Part VII of Series

Original story posted on: July 19, 2017

EDITOR'S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the seventh installment in the series.

Cybercrime is on everyone’s minds these days, even when there is a Medicare fraud takedown like the one we just saw in response to the opioid epidemic. We would be hard-pressed to identify a contemporary case without cyber evidence. There always are things left behind – electronic footprints – that become an integral part of a case.

In order for our government to search a computer system as part of a criminal investigation, a court order or warrant must be obtained. It is a question of privacy. The protections afforded by the Fourth Amendment apply to computer disk drives in the same way they applied to the homes of the Hessians during the Revolutionary War.

But is that the case for Medicare fraud? Are healthcare claims records private? Generally, the answer is “no.” Why?

The standard that protects the citizenry from improper government surveillance and data searches is “the expectation of privacy.”

This is a loosely defined term, applicable in a number of situations. But when a provider submits its claims to get paid and these claims find their way into the information systems of Medicare, the data becomes government property. So, there is no expectation of privacy for Medicare claims data. That means that anything a provider does automatically is open for inspection.

Not only does all Medicare claims data become available for snooping once it leaves your information system, but when you recheck your contract with the government, you will see that  you have already signed away your rights. Absolutely nothing you do can be confidential, as far as the government is concerned.

Sophisticated algorithms and big-data techniques are used to find outliers to be targeted. For example, the recent U.S. Department of Justice (DOJ) takedown started when the government analyzed all prescriptions written for opioids. It then is a minor matter to identify those providers associated with the highest number of opioid claims.

Hacking Changes the Balance of Power

Today’s hacking epidemic is changing the healthcare environment and twisting inside-out the world of cyber prosecution. We know, for example, that malware viruses can be altered so that they look like they are coming from somewhere else. U.S. malware can be dressed up as Russian malware, or Chinese malware can be made to look like it originated in the United States.

What are the practical implications of this? For one thing, it makes it more difficult to definitively pin the blame on any particular party. This called the attribution problem. Much of the fraud also takes place behind the computer security systems designed to protect. Instead, they shelter.

In Medicare, we have a similar situation. Hackers can steal information, but they also can alter it.

We likely will see the day when the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) goes after a provider, claiming massive amounts of computer fraud, and the defense will be not that the accused didn’t do it, but that someone else did by hijacking their information system.

If this begins to happen, then there is risk that prosecutions will be thrown into chaos.

Here is the guiding question: Even if the filed claims in question originated from your system, can you be 100 percent sure they all are yours?  The answer is “no.”

The reality is this: There is no healthcare provider than can be completely sure every claim they submit truly originated in their system. And no prosecutor can be sure either. 

Edward Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

This email address is being protected from spambots. You need JavaScript enabled to view it.

Related Articles

  • Provider Audits Hit the Ground Running Following Pause
    Medicare audits expected soon.Federal healthcare audits have resumed, and they are not limited to durable medical equipment (DME) or any one specific group of providers, any one type of contractor, or any one specific locality in the country. Since the…
  • The Audit Algorithm Arms Race in Medicare
    Providers forced to camouflage in mediocrity.  EDITOR’S NOTE: This the first in a series of articles that explores the use of algorithms in the auditing of medical claims. The Centers for Medicare & Medicaid Services (CMS) has pioneered the use of…
  • EXCLUSIVE: Audits Attack Osteopathic Medicine
    The Unified Program Integrity Contractors (UPICs) may need lessons in reading patient notes. Should they be "defunded?" These days, everyone has a horror story about an audit. There are arrogant know-it-alls that show up unexpected, embarrassing the provider in front…