It is a documented fact that unscrupulous healthcare professionals – and dishonest patients – file more than $77 billion worth of fraudulent Medicare and Medicaid claims on an annual basis.
Meanwhile, cyber criminals have been busy the past two years pilfering medical ID data for tens of millions of citizens, as well as business records from hundreds, if not thousands, of healthcare service providers and insurers.
These two malevolent forces are on a collision course. A massive trove of stolen healthcare industry data has been lying mostly dormant in the cyber underground. And there are clear signs that cyber criminals are moving to use this stolen data to ramp up new variants of faked claims and medical ID fraud, as I discuss at greater length in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.
This crystalized for me after I had the opportunity to speak with Jeff Leston, president and CEO of Castlestone Advisors. Based in St. Louis, MO, Leston has been scrutinizing these developments since 2003. That’s when he began working on what he believes to be an elegant solution to rising healthcare records fraud. But before we get to that, here’s the wider context:
The healthcare sector is reeling following a two-year reign of terror perpetrated by hackers taking full advantage of poorly secured networks and databases. First came waves of massive data breaches. Anthem lost records for some 80 million patients; Premera Blue Cross, 11 million. Community Health Systems, parent of 206 hospitals in 29 states, lost records for 4.5 million consumers.
Then came swarms of ransomware attacks against dozens of hospitals and clinics. The poster institution: Hollywood Presbyterian Hospital. In a case of choosing the lesser evil, the hospital paid $17,000 to regain access to critical data bases locked down by the extortionist. These waves of data breaches and extortion represented hackers going after the lowest hanging fruit in the healthcare sector.
On a parallel track, fraudulent Medicare claims soared to $59.9 billion, and faked Medicaid claims to $17.5 billion, in the federal government’s fiscal year ending in October 2015. The filing of fraudulent claims doesn’t appear to be slowing down one iota. Using Google Alerts, Leston over the past eight months has tallied references to some 168 separate government indictments or convictions for Medicare/Medicaid fraud. The cumulative total paid out under false pretenses: $1.94 billion.
This snapshot only hints at the true number of healthcare payments fraud going undetected in other public programs and in the private sector. For the moment, Leston says, the vast majority of such fraud is being perpetrated by unscrupulous professionals in trusted positions. “Most of the people misusing data already have access to the data,” he says. “It’s physicians, care services providers and labs; they’re the ones that get the money.”
Think about how you pay your doctor or dentist bill. It is through an archaic, poorly secured payment system that lacks robust oversight. To the criminally minded, that reeks of easy money. A nascent form of medical ID theft has been quantified in a widely cited study by The Ponemon Institute; it shows the propensity for people to steal a relative’s medical information to fraudulently purchase drugs or to pay for healthcare services online.
Ponemon found that 2.3 million adult Americans or close family members became victims of this form of medical identity theft in 2014, with 65 percent of the victims saying they had paid an average of $13,453 to make things right.
Fraudulent medical claims filed by shady doctors and medical ID theft committed by friends and family members have one thing in common: they both are easily expanded online. It’s all too easy to visualize ransomware and phishing gangs adapting their hacking and online money laundering systems to this endeavor. And the trove of stolen medical records and company data is just sitting there waiting to be monetized.
Observes Leston: “You get a crooked doctor or you conjure up a spoofed facility, you create all sorts of false patient identities along with it, and you just run claims through it and collect the money.”
Leston’s company, Castlestone, has been refining and testing a solution to this for years. What I like about it is that it piggybacks onto the payment card industry’s proven security infrastructure and doesn’t try to reinvent the wheel.
Castlestone’s technology revolves around getting a program provider, such as Medicare or, say, your healthcare insurance provider, to issue a special payment card to users. This card would be configured to work in the point of sale (POS) terminals found anywhere plastic is accepted to pay your deductible.
Castlestone is permitted to tap into basic time, location and transaction pattern data that the banks use to calculate the odds an imposter might be trying to use your payment card. Into that calculation Castlestone factors in other details it collects about the facility and the patient. The result is an instantly calculated risk score that can be used to approve, or reject, payment.
The company has had a successful 65-day trial in which Medicare patients used a Castlestone card to purchase durable medical equipment. It hopes to land a formal launch customer soon. I wish them luck because we are way beyond midnight here. It is imperative that we stem false claims and rising medical ID theft.