Prosecution of Medicare Cyber Fraud: Part VII of Series

EDITOR’S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the seventh installment in the series.

Cybercrime is on everyone’s minds these days, even when there is a Medicare fraud takedown like the one we just saw in response to the opioid epidemic. We would be hard-pressed to identify a contemporary case without cyber evidence. There always are things left behind – electronic footprints – that become an integral part of a case.

In order for our government to search a computer system as part of a criminal investigation, a court order or warrant must be obtained. It is a question of privacy. The protections afforded by the Fourth Amendment apply to computer disk drives in the same way they applied to the homes of the Hessians during the Revolutionary War.

But is that the case for Medicare fraud? Are healthcare claims records private? Generally, the answer is “no.” Why?

The standard that protects the citizenry from improper government surveillance and data searches is “the expectation of privacy.”

This is a loosely defined term, applicable in a number of situations. But when a provider submits its claims to get paid and these claims find their way into the information systems of Medicare, the data becomes government property. So, there is no expectation of privacy for Medicare claims data. That means that anything a provider does automatically is open for inspection.

Not only does all Medicare claims data become available for snooping once it leaves your information system, but when you recheck your contract with the government, you will see that  you have already signed away your rights. Absolutely nothing you do can be confidential, as far as the government is concerned.

Sophisticated algorithms and big-data techniques are used to find outliers to be targeted. For example, the recent U.S. Department of Justice (DOJ) takedown started when the government analyzed all prescriptions written for opioids. It then is a minor matter to identify those providers associated with the highest number of opioid claims.

Hacking Changes the Balance of Power

Today’s hacking epidemic is changing the healthcare environment and twisting inside-out the world of cyber prosecution. We know, for example, that malware viruses can be altered so that they look like they are coming from somewhere else. U.S. malware can be dressed up as Russian malware, or Chinese malware can be made to look like it originated in the United States.

What are the practical implications of this? For one thing, it makes it more difficult to definitively pin the blame on any particular party. This called the attribution problem. Much of the fraud also takes place behind the computer security systems designed to protect. Instead, they shelter.

In Medicare, we have a similar situation. Hackers can steal information, but they also can alter it.

We likely will see the day when the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) goes after a provider, claiming massive amounts of computer fraud, and the defense will be not that the accused didn’t do it, but that someone else did by hijacking their information system.

If this begins to happen, then there is risk that prosecutions will be thrown into chaos.

Here is the guiding question: Even if the filed claims in question originated from your system, can you be 100 percent sure they all are yours?  The answer is “no.”

The reality is this: There is no healthcare provider than can be completely sure every claim they submit truly originated in their system. And no prosecutor can be sure either.