Genetic testing "hottest" new form of health insurance fraud, FBI warns
The FBI runs an intensive program of counterintelligence efforts to disrupt criminal activities. This is done with intelligence gathered by the FBI's Counterintelligence Division, with a history going back to the beginning of the 20th century. The FBI is part of a wider group consisting of 17 federal agencies that collect intelligence, known collectively as the U.S. Intelligence Community. These efforts by the Intelligence Community and the FBI not only focus on threats to national security from external forces, but they also deal with the broader world of cybercrime.
When the FBI discovers potential criminal activity, they issue an "Emerging Intelligence Report." One recent report looks at a new form of health insurance fraud that uses cardiovascular genetic tests as a basis for the scam.
Implementing HIPAA Controls
What are healthcare fraud and abuse?
Before jumping into the latest discovery of healthcare fraud by the FBI the question must be asked, what is healthcare fraud?
Healthcare fraud is committed by many people, including healthcare providers, patients and professional scammers. Similarly, the act of committing healthcare fraud covers a broad remit of crime types. The impact of healthcare fraud is not a victimless crime; it affects the entire healthcare ecosystem. Healthcare fraud results in increased insurance premiums that can adversely impact health services and even subject patients to unnecessary medical intervention.
Fraud types in healthcare
Healthcare fraud comes in many forms. Some typical examples that the FBI lists as healthcare fraud are:
- Phantom billing: billing for services that were not strictly needed
- Double-billing: billing for multiple claims for the same service
- Bogus marketing: tricking patients into giving out their health insurance details and using that to steal their identity, bill for non-rendered services or set up fake health plans
- Impersonating a healthcare professional: billing for health services or equipment without a license
- Forgery: forging prescriptions
- Unbundling: submitting multiple bills for the same service
- Upcoding: billing for a more expensive service than that delivered
Two healthcare fraud examples
Two examples that give a flavor of what healthcare fraud entails and its impact are:
Phantom billing
A mother and son were convicted of a healthcare fraud conspiracy defrauding Medicare and Medicaid for over $7 million. The pair set up several companies to provide home healthcare to elderly and disabled patients. They then used forged documents and fraudulent forms to bill for invented services.
Bogus marketing
A group of conspirators defrauded 17,000 individuals by selling them bogus health insurance products. The fraud cost the victims over $22 million. The main perpetrator was imprisoned for 14-years and ordered to pay $6.5 million.
The FBI report into cardiovascular genetic test fraud
This latest FBI intelligence on possible new healthcare fraud builds on a previous report in 2017, titled, "Perpetrators Are Very Likely Exploiting Vulnerabilities in Genetic Tests to Commit Health Care Fraud." This uncovering of a significant scam potential led to one of the largest healthcare fraud scams, resulting in losses of over $2 billion and the exploitation of expensive genetic testing. The U.S. Department of Justice prosecuted 35 individuals, many associated at C-level, with telemedicine companies and cancer genetic testing laboratories. The fraud involved expensive genetic testing that was medically unnecessary — many of the defendants receiving large 'kickbacks' for referrals. The fraud scheme targeted the elderly, disabled and other vulnerable consumers playing on their fears over cancer.
In this latest report, healthcare fraudsters are reintroducing the notion of genetic testing fraud but this time moving from cancer to cardiovascular genetic testing. This is a form of fraud associated with a lack of need for a service and can come under the general umbrella of "phantom billing."
Why is cardiovascular genetic testing open to fraud?
Cybercriminals often adjust their tactics to respond to changing conditions. The previous massive healthcare fraud event involved cancer genetic testing. The FBI has determined that this latest fraud was likely because fraudsters would find reduced scope for healthcare fraud due to the limited health insurance coverage of cancer-related genetic testing. It is also likely that the previous massive fraud that used cancer genetic testing is now closed off to criminal activity because of increased awareness. In addition, the shift to using cardiovascular genetic testing procedures that do not require patients to have a cardiovascular diagnosis made the process for billing for the kits more exploitable.
Using data intelligence to alert possible fraud
Between 2018-2020, the FBI noted a massive increase in claims submitted to Medicare for cardiovascular genetic testing. In the case of one test used to locate genes associated with heart disease, an increase in claims of over 4,000% was spotted. To assess the likelihood of these claims being fraudulent, the FBI carried out several interviews with healthcare practitioners and laboratory owners. These interviews allowed the FBI to understand several factors that pointed to exploitable weaknesses in the processes around these tests. These weaknesses included:
- Panels for cardiovascular testing being easier to approve than cancer testing panels.
- Cardiac panels became the "hottest test," replacing cancer panels.
- Labs were carrying out the minimum number of tests to evade law enforcement detection.
- More expensive comprehensive testing was done when cheaper, more specific genetic testing was available.
- Medical professionals recognized genetic testing as being only needed in rare cases.
All these factors pointed to the massive increase in claims for cardiovascular genetic tests being suspicious.
The intelligence report concludes that:
"The FBI makes this assessment based on the key assumption that health care fraud actors knowingly submit fraudulent claims for cardiovascular genetic tests, disregarding medical necessity and the existence of prior patient-physician relationships."
Vulnerabilities do not just occur in software and hardware; they are also found in processes. The exploitation of health insurance plans is based on these weaknesses; any chink in the armor of a process, in software, or hardware will be exploited. It looks like the FBI investigation into fraudulent cardiovascular genetic testing is positive for fraud.
Criminals change their tactics when they must. Before this latest intelligence, healthcare fraud exploited cancer genetic testing. The report from the FBI points out that they expect saliva-based laboratory testing to be the next exploitable healthcare fraud as new viruses and bacteria enter the health ecosystem.
Implementing HIPAA Controls
Healthcare fraud
Finding the balance to ensure that patients receive the best care while controlling the exploitation of that care is likely to be an ongoing battle. Fortunately, the intelligence from the FBI and intelligence community can help in that battle.
Sources
- FBI, Emerging Intelligence Report: (U//FOUO) Health Care Fraud Threat Actors Very Likely Will Exploit Health Insurance Plan Vulnerabilities to Increase Reimbursement for Cardiovascular Genetic Tests, Expanding Illicit Sources of Revenue
- FBI, Health Care Fraud
- U.S. Intelligence Community
- Department of Justice, Mother and son convicted of $7 million healthcare fraud scheme
- Department of Justice, Bart Posy, Sr. Sentenced to Federal Prison for $22 Million Healthcare Fraud Scheme
- Department of Justice, Federal Law Enforcement Action Involving Fraudulent Genetic Testing Results in Charges Against 35 Individuals Responsible for Over $2.1 Billion in Losses in One of the Largest Health Care Fraud Schemes Ever Charged
Implementing Controls for HIPAA
Learn how to maintain the confidentiality, integrity and availability of PHI and ePHI. What you'll learn:- HIPAA models and protocols
- Best practices for controls
- Privacy rule standards
- HIPAA compliance plans
- And more
In this Series
- Genetic testing "hottest" new form of health insurance fraud, FBI warns
- Healthcare data security issues: Best security practices for virtual healthcare sessions
- Analysis of ransomware used in recent cyberattacks on health care institutions
- Top cyber security risks in healthcare [updated 2020]
- How to satisfy HIPAA awareness and training requirements
- What Is Protected Health Information (PHI)?
- The Most Vulnerable and Hackable Medical Devices
- How to Comply with HIPAA Regulations – 10 Steps
- 5 Security Awareness Tips for HIPAA Compliance
- How WannaCry Ransomware Crippled Healthcare
- Breach Notification Requirements for Healthcare Providers
- Top 10 Threats to Healthcare Security
- Top 10 Ways Your Healthcare Organization May be Violating HIPAA and Not Know It
- NDG Pt. 3: The Impact of new data security standards and opt-out model on the IG Toolkit
- NDG Pt. 2: Government Views On Opting Out - Health Data and Security in The UK
- NDG Pt. 1: Data security standards and opt-out models in health and social care
- Patient Privacy in Healthcare: A Security Practitioner's Approach
- How Healthy is Security Across Healthcare?
- HIPAA Security Rule
- Regulatory Compliance for HIPAA Security Officers
- HIPAA and IT Security
- A Detailed Look Into the World of Clinical Decision Support Systems
- Top Clinical Application Systems
- Who is Hacking Healthcare?
- Types of hospital information systems
- HIS/HMIS
- The Healthcare IT Stack
- Medical Device Regulation
- Security Risk Assessment in Health Care
- Risk Management in Healthcare
- Security Technologies in Healthcare
- Medical Data Protection
- Healthcare Attack Statistics and Case Studies
- Security Leaders in Healthcare
- The Internet of Things in Healthcare
- Top 5 Emerging Security Technologies in Healthcare
- Emerging Technologies in Healthcare
- 10 Best Practices for Healthcare Security
- IS Best Practices for Healthcare
- Hospital Security
- Security Awareness for Healthcare Facilities
- Hospital security policies & procedures
- What Does Security Awareness Mean for Doctors, Nurses and Hospital Staff?
- Security Awareness for Healthcare Professionals
- Hackable Medical Devices
- Other Healthcare IT Regulations
- HITECH Act and IT Security
- HIPAA Security Checklist
- Healthcare HITECH Act
- HIPAA Overview and Resources
- Overview of Regulations and Compliance
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Healthcare information security
Healthcare data security issues: Best security practices for virtual healthcare sessions
Healthcare information security
Analysis of ransomware used in recent cyberattacks on health care institutions
Healthcare information security
Healthcare information security