Tag Archives: attorney general

The Biggest Medicare Fraud Cases of 2015

Medicare does not keep records of how much it loses annually because of fraud, but the FBI, which oversees the investigation and prosecution of those alleged to have participated in fraud, estimates that 3% to 10% of all Medicare billings are fraudulent. The FBI task force believes that healthcare fraud costs taxpayers “tens of billions of dollars a year.”

Here is an overview of some of the biggest Medicare fraud cases of 2015:

  1. In June 2015, 243 healthcare providers across the country were charged individually with Medicare fraud. This was the largest-ever coordinated takedown in the history of the National Medicare Fraud Strike Force history. Doctors, nurses, pharmacists, home health workers and other healthcare professionals were all indicted for falsely billing Medicare for approximately $712 million in various fraudulent schemes. The healthcare providers allegedly:
  • Billed for services that were not rendered
  • Charged for equipment that was never delivered
  • Billed for care that was not needed

Specific criminal charges include:

  • Conspiracy to commit healthcare fraud
  • Violating anti-kickback statutes
  • Money laundering
  • Identity theft

Healthcare providers nationally were included in the sweep of the task force. Charges were brought in Texas, Louisiana, Florida, California, New York and elsewhere. The defendants face years in prison in addition to having their assets forfeited to the government and having to repay the amount of money they fraudulently obtained.

In a press release announcing the takedown, the attorney general for the U.S. expressed the commitment of the Department of Justice to continue its “focus on preventing wrongdoing and prosecuting those whose criminal activity drives up medical costs and jeopardizes a system that our citizens trust with their lives.”

  1. Also in June 2015, the former president of a Houston hospital was sentenced to more than 40 years in federal prison and ordered to pay $46.8 million in restitution to Medicare. His son and two other co-conspirators were also found guilty of receiving kickbacks, conspiracy to commit Medicare fraud and money laundering. The scheme involved billing Medicare for psychiatric services that were never provided to patients. The total amount of money fraudulently received by all participants was estimated to equal $158 million.
  1. In October 2015, Millennium Health in Boston, formerly Millennium Laboratories, admitted to billing Medicare and other governmental healthcare programs more than $256 million for laboratory tests that were either unnecessary or never actually performed. The lab also provided kickbacks to physicians for referring patients for testing. Millennium, with headquarters in San Diego, is one of the largest urine-testing laboratories in the U.S. According to the Massachusetts U.S. attorney, “Millennium promoted indiscriminate and unnecessary testing that increased medical costs without serving patients’ real medical needs. A laboratory which knowingly conducts medically unnecessary testing operates unlawfully and squanders our precious federal health care resources.”
  1. In August 2015, a New York man who operated several healthcare clinics for treating HIV/AIDS patients was sentenced to more than seven years in federal prison for defrauding Medicare out of more than $31 million. He billed for treatment that patients did not need and often were not given. Medicare was billed for infusion or IV treatment for many patients who never received treatment. Some patients who were provided infusion therapy were administered doses that were highly diluted.
  1. Two psychologists were recently added to an indictment to join two of their cohorts who had previously been charged with defrauding Medicare of more than $25 million. The psychologists are owners of two companies that provide psychological testing to nursing home patients in four Gulf Coast states: Alabama, Florida, Louisiana and Mississippi. The problem is that the psychologists allegedly billed Medicare for tests that were not medically necessary and, in many cases, were never performed. The case is pending, and the press release notes that the defendants are presumed innocent until proven guilty.

The Medicare Fraud Strike Force, since its formation in March 2007, has charged 2,300 defendants with fraudulently billing more than a total of $7 billion. The task force is committed to continuing its work to hold providers accountable so that the number of fraudulent providers will decrease.

Unclaimed Funds Can Lead to Data Breaches

When it comes to privacy, not all states are alike. This was confirmed yet again in the 50 State Compendium of Unclaimed Property Practices we compiled. The compendium ranks the amount of personal data that state treasuries expose during the process by which individuals can collect unclaimed funds. The data exposed can provide fraudsters with a crime exacta: claiming money that no one will ever miss and gathering various nuggets of personal data that can help facilitate other types of identity theft. The takeaway: Some states provide way too much data to anyone who is in the business of exploiting consumer information.

For those who take their privacy seriously, the baseline of our compendium—inclusion in a list of people with unclaimed funds or property—may in itself be unacceptable. For others, finding their name on an unclaimed property list isn’t a huge deal. In fact, two people on our team found unclaimed property in the New York database (I was one of them) while putting together the 50-state compendium, and there were no panic attacks.

Free IDT911 white paper: Breach, Privacy and Cyber Coverages: Fact and Fiction

That said, there is a reason to feel uncomfortable—or even outright concerned—to find your name on a list of people with unclaimed property. After all, you didn’t give anyone permission to put it there. The way a person manages her affairs (or doesn’t) should not be searchable on a public database like a scarlet letter just waiting to be publicized.

Then there’s the more practical reason that it matters. Identity thieves rely on sloppiness. Scams thrive where there is a lack of vigilance (lamentably, a lifestyle choice for many Americans despite the rise of identity-related crimes). The crux of the problem when it comes to reporting unclaimed property: It’s impossible to be guarded and careful about something you don’t even know exists, and, of course, it’s much easier to steal something if you know that it does.

The worst of the state unclaimed property databases provide a target-rich environment for thieves interested in grabbing the more than $58 billion in unclaimed funds held by agencies at the state level across the country.

States’ response to questions about public database

When we asked for comment from the eight states that received the worst rating in our compendium—California, Hawaii, Indiana, Iowa, Nevada, South Dakota, Texas and Wisconsin—five replied. In an effort to continue the dialogue around this all-too-important topic, here are a few of the responses from the states:

— California said: “The California state controller has a fraud detection unit that takes proactive measures to ensure property is returned to the rightful owners. We have no evidence that the limited online information leads to fraud.”

The “limited online information” available to the public on the California database provides name, street addresses, the company that held the unclaimed funds and the exact amount owed unless the property is something with a movable valuation like equity or commodities. To give just one example, we found a $50 credit at Tiffany associated with a very public figure. We were able to verify it because the address listed in the California database had been referenced in a New York Times article about the person of interest. Just those data points could be used by a scammer to trick Tiffany or the owner of the unclaimed property (or the owner’s representatives) into handing over more information (to be used elsewhere in the commission of fraud) or money (a finder’s fee is a common ruse) or both.

This policy seems somewhat at odds with California’s well-earned reputation as one of the most consumer-friendly states in the nation when it comes to data privacy and security.

— Hawaii’s response: “We carefully evaluated the amount and type of information to be provided and consulted with our legal counsel to ensure that no sensitive personal information was being provided.”

My response: Define “sensitive.” These days, name, address and email address (reflect upon the millions of these that are “out there” in the wake of the Target and Home Depot breaches) are all scammers need to start exploiting your identity. The more information they have, the more opportunities they can create, leveraging that information, to get more until they have enough to access your available credit or financial accounts.

— Indiana’s response was thoughtful. “By providing the public record, initially we are hoping to eliminate the use of a finder, which can charge up to 10% of the property amount. Providing the claimant the information up front, they are more likely to use our service for free. That being said, we are highly aware of the fraud issue and, as you may know, Indiana is the only state in which the Unclaimed Property Division falls under the Attorney General’s office. This works to our advantage in that we have an entire investigative division in-house and specific to unclaimed property. In addition, we also have a proactive team that works to reach out to rightful owners directly on higher-dollar claims to reduce fraud and to ensure those large dollar amounts are reaching the rightful owners.”

Protect and serve should be the goal

While Indiana has the right idea, the state still provides too much information. The concept here is to protect and serve—something the current system of unclaimed property databases currently does not do.

The methodology used in the compendium was quite simple: The less information a state provided, the better its ranking. Four stars was the best rating—it went to states that provided only a name and city or ZIP code—and one star was the worst, awarded to states that disclosed name, street address, property type, property holder and exact amount owed.

In the majority of states in the U.S., the current approach to unclaimed funds doesn’t appear to be calibrated to protect consumers during this ever-growing epidemic of identity theft and cyber fraud. The hit parade of data breaches over the past few years—Target, Home Depot, Sony Pictures, Anthem and, most recently, the Office of Personnel Management—provides a case-by-case view of the evolution of cybercrime. Whether access was achieved by malware embedded in a spear-phishing email or came by way of an intentionally infected vendor, the ingenuity of fraudsters continues apace, and it doesn’t apply solely to mega databases. Identity thieves make a living looking for exploitable mistakes. The 50 State Compendium provides a state-by-state look at mistakes just waiting to be converted by fraudsters into crimes.

The best way to keep your name off those lists: Stay on top of your finances, cash your checks and keep tabs on your assets. (And check your credit reports regularly to spot signs of identity fraud. You can get your free credit reports every year from the major credit reporting agencies, and you can get a free credit report summary from Credit.com every month for a more frequent overview.) In the meantime, states need to re-evaluate the best practices for getting unclaimed funds to consumers. One possibility may be to create a search process that can only be initiated by the consumer submitting his name and city (or cities) on a secure government website.

‘Phone Spoofing’ – Yes, It Can Happen to You

Not so long ago, a senior executive at Insurance Thought Leadership received a phone call on his smartphone in which the caller claimed to be returning a call.  The ITL executive politely let the caller know that he hadn’t called. Then came another “returned” call… and another. Each caller said he had received a call from the ITL executive’s mobile number and that the caller hadn’t left a message. All told, the ITL executive received about a call a day for about a week.

Naturally, he called his mobile provider to find out what was going on. The provider said it sounded like “phone spoofing.”

How It Works

Spoofing is effectively falsifying a piece of identifying information, like a return email address. “Phone spoofing” relates to the number that shows up on caller ID — someone appears to be calling from that number but doesn’t own that number and is really calling from somewhere else.  Spoofing is used to trick people into picking up calls they otherwise wouldn’t (and get around the National Do Not Call Registry). For a shady caller from outside the area – and often the country – a local number is less likely to raise suspicion.

The real target of the scam is the person on the receiving end of the spoofed call. In the past year, attorneys general in Arkansas, Ohio, Pennsylvania and Rhode Island (among others) have all issued warnings related to phone spoofing scams.

If the recipients do answer the calls, they’re treated to a lovely conversation with ethically challenged telemarketers, debt collectors or scammers. And, as with most sketchy callers, they don’t leave a message if the target doesn’t answer. If the recipients are curious about who called, all they have to go on is the spoofed (false) number that appeared in their caller ID. The result: numerous angry “return” calls to the wrong person. In effect, the real owner of the spoofed number is collateral damage.

Spoofing technology is unfortunately cheap and widely available. As a result, anyone with a smartphone can be a victim — though the scam works just as well on landlines.

What to Do to Protect Yourself

The Truth in Caller ID Act of 2009 prohibits anyone in the U.S. from “knowingly transmit[ting] misleading or inaccurate caller identification information with the intent to defraud, cause harm or wrongfully obtain anything of value….” The act also includes penalties of as much as $10,000 per violation, and related FCC rules note that telemarketers are supposed to display an accurate phone number that can be called during regular business hours.

That all sounds good, but… there are a couple of problems with this scenario as it plays out in the real world. The nature of phone spoofing can make it tricky to figure out who actually made the call in the first place. Moreover, many of the perpetrators are based outside the U.S., effectively placing them beyond the reach of the law. While there has been an attempt to enact an updated version that expands the law’s reach to include calls made to recipients in the U.S. from outside the U.S., it’s naturally moving at the speed of Congress. And, of course, enforcement of that law against telemarketers, etc. based overseas will present an additional hurdle.

Another issue to consider: The FCC tends to view the recipient of the call as the primary victim of a phone spoofing scam. Consequently, “the intent to defraud, cause harm, or wrongfully obtain anything of value” noted in the Truth in Caller ID Act focuses on actions taken against the recipient of the call (as opposed to real owner of the number in question).

In a somewhat related matter, in late 2013 the Federal Trade Commission (FTC) decided not to amend its Telemarketing Sales Rule to address caller ID spoofing because it didn’t believe that the proposed changes would have any effect on the problem.

As you may have guessed by now, stopping this isn’t easy. It’s fairly difficult – if not impossible – to completely eliminate the risk of having your number used in a caller ID spoofing scam. One step you can take to decrease the likelihood is to reduce the number of places in which your phone number can be found online. In effect, don’t give out your number unless you have to. This includes web contests and other online forms. And if it is required for an online purchase, don’t save that information for next time. That way it – and your credit card details – won’t be there to steal if an intruder subsequently breaks into the retailer’s network.

What to Do if It Does Happen to You?

For starters, you can file a complaint with the FCC.

But, although it’s unlikely that the information on your smartphone itself has been compromised (unless there is an additional, unrelated intrusion), your realistic options are unfortunately somewhat limited once your number is used as part of a spoofing scam.

1)    You can block incoming calls, leave a message explaining what happened and, in effect, hope it stops before too long; or

2)    You can change your number. Of course, that also means notifying friends, family and professional contacts (and perhaps changing your business cards, too).

If you don’t feel safe, you can also take the extra step of changing your passwords (which is never a bad idea).

And if you would like more information, you can check out the FCC’s Caller ID and Spoofing page.

The silver lining here is that phone spoofing doesn’t equate to your phone – or the data on it – being accessed by someone else. Of course, that doesn’t make it any less annoying or disconcerting if it happens to you.

Happy Ending

In the case of the spoofing against the ITL executive, the system worked as well as possible. The authorities, working with the carrier, tracked the spoofing back to a scam artist in Germany, and an arrest was made.

How Data Breaches Affect More Than Cyberliability

You’ve probably seen the recent headlines about the Target retail chain being hacked, resulting in approximately 40 million customer credit and debit card numbers being stolen by hackers. It would be easy to write another article about the importance of cyberliability insurance, but we’d like to go a step further. While it is true that a breach of this magnitude will be incredibly expensive and could strain the total limit capacity available in the cyber insurance marketplace, other insurance products that could possibly be triggered shouldn’t be ignored.

On October 13, 2011, the Securities and Exchange Commission’s (SEC) Division of Corporate Finance published the Cybersecurity Disclosure Guidance. Among other recommendations, the guide contained the SEC’s views on the type and extent of cyberliability risks and exposures that public companies should consider disclosing to investors. The guidance was issued to help investors understand the nature of a company’s cybersecurity risks. In quarterly and annual filings with the SEC, companies disclose risk factors that can have a material impact on their operations. When investors sue a corporation for actions that have harmed the company, and in turn their investments, that is a claim typically addressed by a Directors and Officers (D&O) Liability policy. In certain instances, they also might be covered by a dedicated cyber insurance policy or a Side-A excess policy (or both), to the extent the company has purchased such products, which are separate and distinct from a D&O form.

Like other public companies, Target has sought to abide by the SEC’s cybersecurity disclosure recommendations, most recently including cyber risk as one of 17 risk factors in the MD&A section of its February 2013 10-K:

If our efforts to protect the security of personal information about our guests and team members are unsuccessful, we could be subject to costly government enforcement actions and private litigation and our reputation could suffer.

The nature of our business involves the receipt and storage of personal information about our guests and team members. We have a program in place to detect and respond to data security incidents. To date, all incidents we have experienced have been insignificant. If we experience a significant data security breach or fail to detect and appropriately respond to a significant data security breach, we could be exposed to government enforcement actions and private litigation. In addition, our guests could lose confidence in our ability to protect their personal information, which could cause them to discontinue usage of REDcards, decline to use our pharmacy services, or stop shopping with us altogether. The loss of confidence from a significant data security breach involving team members could hurt our reputation, cause team member recruiting and retention challenges, increase our labor costs and affect how we operate our business.

State attorneys general have already initiated demands for information and protection for state residents. The Connecticut attorney general is asking for two years of credit monitoring and identity theft protection for state residents, along with more details on the breach and security protocols. Not surprisingly, there have been threats of consumer class actions against Target. It will also be interesting to see if shareholders, or more importantly the plaintiffs bar, think that the disclosure of the risk was adequate. Given the size of the breach, it would not be surprising to see any number of such suits filed against Target.

In the meantime, certain banks are advising consumers that the consumer will not be held responsible for fraudulent charges on their credit cards.

If we look back at the 2007 breach at TJ Maxx (TJX), which affected more than 90 million credit cards, we could gain insight into how MasterCard and Visa might respond to the Target breach. They sued TJX and collectively recovered over $60 million. Other banks, such as Fifth Third Bancorp, Amerifirst Bank, Eagle Bank and SaugusBank, also made claims against TJX. Media reports indicate that TJX paid in excess of $250 million to resolve the myriad claims against it as a result of the 2007 breach. We would expect that number includes crisis management expenses, such the costs of forensic analyses, public relations expenses, notification expenses and other remedial costs. It also likely accounts for regulatory fines and penalties from the government, PCI fines paid to credit card companies, damages paid to both credit card companies and banks, cash and merchandise vouchers for harmed customers, and probably even credit monitoring. It would be challenging to quantify the lost revenue from jilted customers who chose to shop elsewhere following the breach, but we suspect it was meaningful.

Impact on Investors

A key question is, can investors still sue if the stock doesn’t have a precipitous drop? The answer is probably yes. Typical allegations in a securities claim allege that: 1) the management misled investors; 2) the truth came out; 3) the stock dropped as a result; and 4) the investors suffered financial loss. The damage valuation might be determined by comparing the price of the stock prior to the date the “truth” came out and the price after it had been disclosed. That’s an oversimplification of a securities claim, but still reflects the typical pattern.  For something like the Target breach, shareholders could argue that Target failed to fully disclose the potential cyber-related problems, lost business opportunities which kept the stock from rising and therefore caused the loss of future gains, mismanaged and failed to properly oversee its cybersecurity protection program, and other assorted alleged improprieties.

Other Claims

Apart from securities-related disclosure lawsuits, a company like Target also will likely be subject to consumer class actions and regulatory actions. Such lawsuits could lead to sizeable settlements, which could have an impact on the stock price and raise investor concerns. Target’s earnings similarly could be impacted by the costs of breach remediation and associated expenses. It also stands to lose significant opportunity costs, to the extent its management and staff becomes distracted by the post-breach activities. Whatever surfaces will require a lot of money spent in legal and forensic bills.

It is well-known that litigation naming a company’s directors and officers can arise from a variety of alleged misdeeds. Like other entrepreneurs, the plaintiffs are always exploring new legal theories to establish liability and recover damages in order to collect higher fees. When that happens, you can bet those defendants will quickly be looking to their D&O policy for assistance. For every cyberliability underwriter expressing relief that they aren’t insuring Target for this breach, there are likely two D&O underwriters concerned about their policy limit – assuming, of course, that Target has a sizeable D&O insurance tower in place.

Companies like Target likely employ a robust cybersecurity program to protect consumers’ personal and financial information.  But breaches aren’t limited to large multinational operations. According to cyberlaw expert Richard J. Bortnick of Christie Pabarue and Young, and publisher of the blog Cyberinquirer.com, small- and medium-sized public companies are just as much at risk, perhaps even more at risk, than companies like Target. “Every company of every size is at risk,” Bortnick said. “And if you think of it logically, small- and medium-sized companies are likely more at risk, and subject to greater residual financial harm, than the bigger firms. And in the cyber realm, that means small- and medium-sized companies that almost certainly have not invested the resources necessary for proper cybersecurity.” According to Bortnick, “regrettably, oftentimes clients call me in after a breach, not before. And on each occasion, I tell them that the cost to remediate a breach can be multiples of what it would have cost if I had been brought in before the breach and been able to work with the company to plan and implement a cost-effective, best practices cybersecurity regime. Not only does this approach discourage or even prevent hackers, it provides a company with a ‘best practices’ defense to a privacy suit and, potentially, to a shareholder lawsuit.”

As mentioned in the introduction of this advisory, the risks facing your clients following a data breach go beyond the obvious cyberliability insurance policy. How a company has prepared for a breach, what steps have been taken to prevent a breach and what plans are in place to deal with a breach are all executive-level decisions. Regardless of the size of the company, a data breach can be a significant threat to the survival of a company. Companies should buy a cyberliability policy to help respond to a data breach and a D&O policy to protect the management and board for their plans and decisions.