Healthcare information security

Genetic testing "hottest" new form of health insurance fraud, FBI warns

Susan Morrow
August 18, 2021 by
Susan Morrow

The FBI runs an intensive program of counterintelligence efforts to disrupt criminal activities. This is done with intelligence gathered by the FBI's Counterintelligence Division, with a history going back to the beginning of the 20th century. The FBI is part of a wider group consisting of 17 federal agencies that collect intelligence, known collectively as the U.S. Intelligence Community. These efforts by the Intelligence Community and the FBI not only focus on threats to national security from external forces, but they also deal with the broader world of cybercrime.

When the FBI discovers potential criminal activity, they issue an "Emerging Intelligence Report." One recent report looks at a new form of health insurance fraud that uses cardiovascular genetic tests as a basis for the scam.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

What are healthcare fraud and abuse?

Before jumping into the latest discovery of healthcare fraud by the FBI the question must be asked, what is healthcare fraud?

 Healthcare fraud is committed by many people, including healthcare providers, patients and professional scammers. Similarly, the act of committing healthcare fraud covers a broad remit of crime types. The impact of healthcare fraud is not a victimless crime; it affects the entire healthcare ecosystem. Healthcare fraud results in increased insurance premiums that can adversely impact health services and even subject patients to unnecessary medical intervention.

Fraud types in healthcare

Healthcare fraud comes in many forms. Some typical examples that the FBI lists as healthcare fraud are: 

  • Phantom billing: billing for services that were not strictly needed
  • Double-billing: billing for multiple claims for the same service
  • Bogus marketing: tricking patients into giving out their health insurance details and using that to steal their identity, bill for non-rendered services or set up fake health plans
  • Impersonating a healthcare professional: billing for health services or equipment without a license
  • Forgery: forging prescriptions
  • Unbundling: submitting multiple bills for the same service
  • Upcoding: billing for a more expensive service than that delivered

Two healthcare fraud examples

Two examples that give a flavor of what healthcare fraud entails and its impact are:

Phantom billing

A mother and son were convicted of a healthcare fraud conspiracy defrauding Medicare and Medicaid for over $7 million. The pair set up several companies to provide home healthcare to elderly and disabled patients. They then used forged documents and fraudulent forms to bill for invented services.

Bogus marketing

A group of conspirators defrauded 17,000 individuals by selling them bogus health insurance products. The fraud cost the victims over $22 million. The main perpetrator was imprisoned for 14-years and ordered to pay $6.5 million.

The FBI report into cardiovascular genetic test fraud

This latest FBI intelligence on possible new healthcare fraud builds on a previous report in 2017, titled, "Perpetrators Are Very Likely Exploiting Vulnerabilities in Genetic Tests to Commit Health Care Fraud." This uncovering of a significant scam potential led to one of the largest healthcare fraud scams, resulting in losses of over $2 billion and the exploitation of expensive genetic testing. The U.S. Department of Justice prosecuted 35 individuals, many associated at C-level, with telemedicine companies and cancer genetic testing laboratories. The fraud involved expensive genetic testing that was medically unnecessary — many of the defendants receiving large 'kickbacks' for referrals. The fraud scheme targeted the elderly, disabled and other vulnerable consumers playing on their fears over cancer.

In this latest report, healthcare fraudsters are reintroducing the notion of genetic testing fraud but this time moving from cancer to cardiovascular genetic testing. This is a form of fraud associated with a lack of need for a service and can come under the general umbrella of "phantom billing."

Why is cardiovascular genetic testing open to fraud?

Cybercriminals often adjust their tactics to respond to changing conditions. The previous massive healthcare fraud event involved cancer genetic testing. The FBI has determined that this latest fraud was likely because fraudsters would find reduced scope for healthcare fraud due to the limited health insurance coverage of cancer-related genetic testing. It is also likely that the previous massive fraud that used cancer genetic testing is now closed off to criminal activity because of increased awareness. In addition, the shift to using cardiovascular genetic testing procedures that do not require patients to have a cardiovascular diagnosis made the process for billing for the kits more exploitable.

Using data intelligence to alert possible fraud

Between 2018-2020, the FBI noted a massive increase in claims submitted to Medicare for cardiovascular genetic testing. In the case of one test used to locate genes associated with heart disease, an increase in claims of over 4,000% was spotted. To assess the likelihood of these claims being fraudulent, the FBI carried out several interviews with healthcare practitioners and laboratory owners. These interviews allowed the FBI to understand several factors that pointed to exploitable weaknesses in the processes around these tests. These weaknesses included:

  • Panels for cardiovascular testing being easier to approve than cancer testing panels.
  • Cardiac panels became the "hottest test," replacing cancer panels.
  • Labs were carrying out the minimum number of tests to evade law enforcement detection.
  • More expensive comprehensive testing was done when cheaper, more specific genetic testing was available.
  • Medical professionals recognized genetic testing as being only needed in rare cases.

All these factors pointed to the massive increase in claims for cardiovascular genetic tests being suspicious.

The intelligence report concludes that: 

"The FBI makes this assessment based on the key assumption that health care fraud actors knowingly submit fraudulent claims for cardiovascular genetic tests, disregarding medical necessity and the existence of prior patient-physician relationships."

Vulnerabilities do not just occur in software and hardware; they are also found in processes. The exploitation of health insurance plans is based on these weaknesses; any chink in the armor of a process, in software, or hardware will be exploited. It looks like the FBI investigation into fraudulent cardiovascular genetic testing is positive for fraud.

Criminals change their tactics when they must. Before this latest intelligence, healthcare fraud exploited cancer genetic testing. The report from the FBI points out that they expect saliva-based laboratory testing to be the next exploitable healthcare fraud as new viruses and bacteria enter the health ecosystem.

Implementing HIPAA Controls

Implementing HIPAA Controls

Learn how to protect ePHI from unauthorized use and disclosure, and how to help employees stay compliant with HIPAA rules.

Healthcare fraud

Finding the balance to ensure that patients receive the best care while controlling the exploitation of that care is likely to be an ongoing battle. Fortunately, the intelligence from the FBI and intelligence community can help in that battle.

 

Sources 

Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.