Healthcare hacking on the rise

https://mailchi.mp/ef14a7cfd8ed/the-weekly-gist-august-6-2021?e=d1e747d2d8

From the largest global meat producer to a major gas pipeline company, cyberattacks have been on the rise everywhere—and with copious amounts of valuable patient data, healthcare organizations have become a prime target.

The graphic above outlines the recent wave of data attacks plaguing the sector. Healthcare data breaches reached an all-time high in 2020, and hacking is now the most common type of breach, tripling from 2018 to 2020. This year is already on pace to break last year’s record, with nearly a third more data breaches during the first half of the year, compared to the same period last year.

Recovering from ransomware attacks is expensive for any business, but healthcare organizations have the highest average recovery costs, driven by the “life and death” nature of healthcare data, and need to quickly restore patient records. A single healthcare record can command up to $250 on the black market, 50 times as much as a credit card, the next highest-value record. Healthcare organizations are also slower to identify and contain data breaches, further driving up recovery costs.

A new report from Fitch Ratings finds cyberattacks may soon threaten hospitals’ bottom lines, especially if they affect a hospital’s ability to bill patients when systems become locked or financial records are compromised. The rise in healthcare hacking is shining a light on many health systems’ lax cybersecurity systems, and use of outdated technology.

And as virtual delivery solutions expand, health systems must double down on performing continuous risk assessments to keep valuable data assets safe and avoid disruptions to care delivery.

3 Ascension Texas hospitals to pay $20.9M for alleged kickbacks

Kickback Definition

Three Ascension hospitals in Texas agreed to pay $20.9 million for allegedly paying multiple physician groups above fair market value for services, according to a recent news release from the HHS’ Office of Inspector General.

The three Texas hospitals are Ascension’s Dell Seton Medical Center in Austin, Ascension Seton Medical Center Austin and Ascension Seton Williamson in Roundrock. Ascension self-disclosed the conduct to the inspector general.

The hospitals allegedly violated the Civil Monetary Penalties Law, including provisions related to physician self-referrals and kickbacks in seven instances, according to the April 30 news release.

Some of the allegations the report outlined include Dell Seton paying an Austin physician practice above fair market value for on-call coverage; Ascension Seton Austin paying an Austin practice above fair market value for transplant on-call coverage and administrative services; and Ascension Seton Williamson paying a practice above fair market value to lease the practice’s employed registered nurses and surgical technologists who assisted in surgeries at the hospital. 

The release did not disclose the physician groups allegedly involved.

Access the full release here

Kansas Heart Hospital accuses former CFO, COO of stealing funds

Binghamton Embezzlement Lawyer | Embezzlement Charges in NY

The Kansas Heart Hospital in Wichita filed a lawsuit against two former executives, claiming they stole money from the facility and improperly used CARES Act funds, according to ABC affiliate KAKE and court documents.  

The lawsuit, filed April 29 in the U.S. District Court in Kansas, accuses the hospital’s former COO Joyce Heismeyer and former CFO Steve Smith of stealing funds between 2015 and 2020. During that time, Kansas Heart Hospital lost more than $31 million, according to the lawsuit.

Ms. Heismeyer and Mr. Smith abruptly stepped down from their roles in fall 2020. The hospital claims the former executives set up large severance payments for themselves before their departures, which prompted an internal investigation.

In its complaint, Kansas Heart Hospital alleges that Ms. Heismeyer and Mr. Smith conspired with the hospital’s former president, Gregory Duick, MD, to divert more than $6 million in hospital funds for undisclosed bonuses and benefits during the five-year period. Additionally, the hospital claims all three sent millions in hospital dollars to an investment account that Dr. Duick owned. 

Kansas Heart Hospital also claims the three caused it to lose out on $4.4 million in CARES Act payments. The funds were returned to avoid a federal audit, the lawsuit alleges, but the former executives said the funds were returned because the hospital hadn’t treated any COVID-19 patients.

Dr. Duick also retired from his role in fall 2020. He is named in the lawsuit but is not a defendant, and did not immediately return KAKE‘s request for comment.

In a statement to KAKE, an attorney for Ms. Heismeyer and Mr. Smith said, “Joyce and Steve vehemently deny the allegations and will aggressively defend themselves and expect to clear their names in court.” Additionally, the statement said, “We are disappointed by the Kansas Heart Hospital’s plan to sue and tarnish the reputations of two long time employees.”

As fraud rises, CFOs must approach numbers skeptically, report finds

https://www.cfodive.com/news/Center-Audit-Quality-financial-reporting-fraud/593123/

Executives might be committed to accuracy, but middle managers and others throughout the organization must be on board, too.

The pandemic is increasing financial reporting fraud, putting the onus on CFOs to create an organization-wide system that prevents wrongdoing, a coalition of auditing and other oversight groups said in a report released today.

Financial statement fraud in public companies is real and that risk has only increased during the Covid-19 pandemic,” said Julie Bell Lindsay, executive director of the Center for Audit Quality, one of four groups to release the report.

To help ensure the integrity of their company’s financial reporting, CFOs can’t rely on external auditors as their bulwark against fraud; they must weave protection into the fabric of the organization and exercise the same skepticism toward numbers auditors are trained to do.

“The strongest fraud deterrent and detection program requires extreme diligence from all participants in the financial reporting system,” Lindsay said. “Certainly, you have internal and external auditors, but you also have regulators, audit committees and, especially, public company management.”

Heightened stress

The report looks at SEC enforcement data from 2014 to 2019, a period of relative calm Linsday said can help set a baseline for assessing how much in pandemic-caused fraud regulators will find when they do their post-crisis analysis.

“The timing of this report is really a great way to … remind all the folks in the financial reporting ecosystem that … the pressures for fraud to happen are strong right now,” she said. 

Improper revenue recognition comprises about 40% of wrongdoing in financial reporting, more than any other type, a finding that tracks an SEC analysis released last August. 

Companies tend to manipulate revenue in four ways:

  1. The timing of recognition
  2. The value applied
  3. The source
  4. The percentage of contract completion claimed

The report singles out revenue-recognition manipulation by OCZ Technology Group, a solid-state drive manufacturer that went bankrupt in 2013, as a typical case.

The company had to restate its revenues by more than $100 million after it was caught mis-characterizing sales discounts as marketing expenses, shipping more goods to a large customer than it could be expected to sell, and withholding information on product returns.

The CEO was charged with fraud and the CFO with accounting, disclosure, and internal accounting controls failures.

The report lists three other common types of fraudmanipulation of financial reserves, manipulation of inventories, and improper calculation of impairment.

Reserve issues involve how, and when, balances are changed, and how expenses are classified; inventory issues involve the amounts that are listed and how much sales cost; and impairment issues involve the timing and accuracy of the calculation. 

Increase expected

More of these kinds of problems will likely be found to be happening because of the pandemic, the report said. 

“This is where all of this comes to a head,” Lindsay said. “You certainly can see pressure, because some companies are struggling right now and there can be pressure to meet numbers, analysts expectations.”

The pressure finance professionals face is part of what the report calls a “fraud triangle,” a convergence of three factors that can lead to fraud: pressure, opportunity and rationalization.

In the context of the pandemic, pressure comes as companies struggle with big drops in revenue; opportunity arises as employees work remotely; and the rationalization for fraud is reinforced by the unprecedented challenges people are facing. 

“It could be anything,” said Lindsay. “‘My wife just lost her job, so I need to make up for it.'”

The report lists fraud types that analysts expect are rising because of the pandemic:

  • Fabrication of revenue to offset losses.
  • Understatement of accounts receivable reserves as customers delay payments. 
  • Manipulation of compliance with debt covenants. 
  • Unrecognized inventory impairments.
  • Over- or understated accounting estimates to meet projection.

About a dozen types in all are listed. 

“Past crises have proven that at any time of large-scale disruption or stress on an economy or industry, companies should be prepared for the possibility of increased fraud.” the report said. 

Lindsay stressed three lessons she’d like to see CFOs take away from the report.

First, the potential for fraud in their companies shouldn’t be an afterthought. Second, protection against it is management’s responsibility but there’s also a role for company’s audit committee, its internal auditors and it’s external auditors. Third, CFOs and the finance executives they work with, including at the middle management level, must bring that same skepticism toward the numbers that auditors are trained to bring.

“Professional skepticism is a core competency of the external auditor and, quite frankly, the internal auditor,” she said. “Management and committee members are not necessarily trained on what it is, but it doesn’t mean you shouldn’t be exercising skepticism, [which is] asking questions about the numbers that are being reported. Is this exactly what happened? Do we have weaknesses? Do we have areas of positivity? It’s really about drilling down and having a dialogue and not just taking the numbers at face value.”

In addition to the Center for Audit Quality, Mitigating the Risks of Common Fraud Schemes: Insights From SEC Enforcement Actions was prepared by Financial Executives International, The Institute of Internal Auditors and the National Association of Corporate Directors.

Beaumont victimized by medical equipment thieves, feds say

https://www.detroitnews.com/story/news/local/michigan/2021/01/14/beaumont-victimized-medical-equipment-thieves-feds-say/6655265002/

The indictment describes an inside job involving Beaumont employees who sold stolen sponges, adhesives and instruments used to inspect eyes and ears. The equipment included cystoscopes, a thin tube with a camera that is inserted through the urethra and into the bladder.

“Some of the medical devices stolen and re-sold over the Internet were possibly contaminated devices that were previously used in various surgical and other medical procedures on patients,” according to the indictment.

The three individuals charged in the indictment are:

  • Paul Purdy, 49, of Bellbrook, Ohio
  • Valdet Seferovic, 32, of Auburn Hills
  • Zafar Khan, 40, of Fenton

Purdy and Seferovic not respond to messages seeking comment Thursday while Harold Gurewitz, a lawyer for Khan, declined comment. The three defendants are scheduled to make initial appearances Jan. 21 in federal court.

“These defendants used their employment status to circumvent the safety protocols established by Beaumont Hospital to profit from the theft of medical devices and put the health and safety of the general public at risk in doing so,” U.S. Attorney Matthew Schneider said in a statement.

The wire fraud and conspiracy charges listed in the 18-count indictment are punishable by up to 20 years in federal prison.

Beaumont officials have cooperated fully with the investigation, health system spokesman Mark Geary wrote in an email to The Detroit News.

This kind of theft does a disservice to more than just Beaumont — it does a disservice to the community,” Geary wrote. “We have confidence in the legal process and trust a just result will be achieved.”

Purdy and Seferovic were friends who worked at Beaumont and had access to storage areas inside one of the system’s hospitals, prosecutors alleged. The duo gained access to medical supplies and devices, according to the government, and devised a plan to steal the equipment and sell the items throughout the U.S.

Purdy, who worked for Beaumont until resigning in 2017, never told buyers the items were stolen, prosecutors said. After he quit, Purdy recruited Seferovic to continue stealing items from the medical supply, cleaning and disinfecting rooms, according to prosecutors.

“Medical devices that are removed from their rightful place in a hospital or other medical setting put patients’ health at risk by denying them access to needed diagnostic imaging and treatment,” Lynda Burdelik, special agent in charge of the U.S. Food and Drug Administration’s Criminal Investigations field office in Chicago, said in a statement.

Purdy paid Seferovic for stolen items via PayPal and resold the devices on eBay and Amazon, according to the government. On March 28, 2018, the indictment alleges Purdy received a $4,800 wire payment from the sale of two cystoscopes.

That same day, Seferovic received a $2,550 payment via PayPal, according to the government.

In fall 2017, Seferovic also agreed to steal and sell medical devices and supplies to Khan, who owns Wholesale Medical & Surgical Suppliers of America, LLC in Flint, according to the indictment.

Seferovic would transfer stolen supplies to Khan during meetings in metro Detroit, including at a Walmart parking lot, according to the indictment. Khan, in turn, would sell the supplies and devices online at below retail price.

Seferovic’s job duties and status was unclear Thursday.

The investigation and alleged crimes have prompted internal changes at Beaumont.

“…Beaumont has enhanced security protocols and implemented additional checks and balances across the organization to reduce the chances of something like this happening again,” Geary said.

Wisconsin health-care worker ‘intentionally’ spoiled more than 500 coronavirus vaccine doses, hospital says

A hospital employee outside Milwaukee deliberately spoiled more than 500 doses of coronavirus vaccine by removing 57 vials from a pharmacy refrigerator, hospital officials announced Wednesday, as local police said they were investigating the incident with the help of federal authorities.

Initiating an internal review on Monday, hospital officials said they were initially “led to believe” the incident was caused by “inadvertent human error.” The vials were removed Friday and most were discarded Saturday, with only a few still safe to administer, according to an earlier statement from the health system. Each vial has enough for 10 vaccinations but can sit at room temperature for only 12 hours.

Two days later, the employee acknowledged having “intentionally removed the vaccine from refrigeration,” the hospital, Aurora Medical Center in Grafton, Wis., said in a statement late Wednesday.

The employee, who has not been identified, was fired, the hospital said. Its statement did not address the worker’s motives but said “appropriate authorities” were promptly notified.

Wednesday night, police in Grafton, a village of about 12,000 that lies 20 miles north of Milwaukee, said they were investigating along with the FBI and the Food and Drug Administration. In a statement, the local police department said it had learned of the incident from security services at Aurora Health Care’s corporate office in Milwaukee. The system serves eastern Wisconsin and northern Illinois, and includes 15 hospitals and more than 150 clinics.

Leonard Peace, an FBI spokesman in Milwaukee, would not comment on the Bureau’s involvement but said of the episode, “We’re aware of it.” The FDA did not immediately respond to a request for comment.

The tampering will delay inoculation for hundreds of people, Aurora Health officials said, in a state where 3,170 new cases were reported and 40 people died Wednesday of covid-19, the disease caused by the coronavirus, according to The Washington Post’s coronavirus tracker.

“We are more than disappointed that this individual’s actions will result in a delay of more than 500 people receiving the vaccine,” the health system said in a statement.

The Wisconsin incident comes as states continue to grapple with a bumpy rollout of the first doses of the Moderna and Pfizer-BioNTech vaccines, which were approved less than a month ago and prioritized for health-care workers and residents and staff of long-term care facilities. So far, distribution has lagged well behind federal projections, raising doubts about whether the outgoing administration will meet its already revised goal of 20 million vaccines distributed by the end of the year.

As of Wednesday, the Centers for Disease Control and Prevention said 12.4 million doses of the vaccine had been distributed across the United States, but only 2.6 million of those had been administered. (This means that just 1 in 125 Americans has received the first dose of the vaccine.) Trump administration officials have said these numbers lag behind the actual pace of vaccination, which they also vowed would accelerate starting next week.

The Moderna and Pfier-BioNTech vaccines, the first two regimens to gain regulatory approval for emergency use, are two-shot protocols with intricate logistical requirements. Moderna’s vaccine doesn’t require subarctic temperatures, as does the Pfizer product, but it does need to be kept cold. It can be stored at freezer temperatures for six months, the company says, and kept at regular refrigerated conditions for 30 days. It can be maintained at room temperature for only 12 hours, though, and can’t be refrozen once thawed.

Complex storage requirements are among the reasons state officials are imploring providers to administer vaccine quickly once it is received.

In its original statement, Aurora Health said it had successfully vaccinated about 17,000 people over the previous 12 days. Its initial review, it said, had found that the 57 vials were simply not returned to the refrigerator after “temporarily being removed to access other items.”

The hospital apologized, saying, “We are clearly disappointed and regret this happened.”

It is not clear what motive the employee may have had to spoil the vaccine doses. The hospital said it would release more details about its investigation Thursday.

Former Tennessee hospital manager charged with stealing nearly $800K in supplies

https://www.beckershospitalreview.com/supply-chain/former-tennessee-hospital-manager-charged-with-stealing-nearly-800k-in-supplies.html?utm_medium=email

Employee Theft Quotes. QuotesGram

A former worker at Maury Regional Medical Center in Columbia, Tenn., was charged with stealing nearly $800,000 worth of medical supplies from the hospital and selling them online for his personal benefit, Williamson Source reported. 

Former system coordinator Tommy John Riker allegedly stole $798,265 worth of supplies from the hospital between 2017 and 2019. He worked in the hospital’s supply chain department and was responsible for purchasing and managing items in the hospital’s inventory control system.

His job allowed him to steal items from the hospital’s inventory and manipulate the inventory to make it seem the supplies were given to staff, according to investigators from Tennessee’s Comptroller’s Office, the Williamson Source reported. 

The stolen supplies include needles, wound dressings and surgical dressings, according to the comptroller’s report. 

Mr. Riker was indicted on one count of theft over $250,000 and 54 counts of money-laundering.

Read the full article here

Chicago hospital defeats allegations of ‘ghost payroll’ scheme

https://www.beckershospitalreview.com/finance/chicago-hospital-defeats-allegations-of-ghost-payroll-scheme.html?utm_medium=email

False Claims Act & Physicians - Basic Primer

An Illinois federal court has dismissed a whistleblower lawsuit alleging University of Chicago Medical Center, Medical Business Office and Trustmark Recovery Services violated the False Claims Act, according to Bloomberg Law

MBO and Trustmark provided medical billing and debt collection services for UCMC. The whistleblowers, Kenya Sibley, Jasmeka Collins and Jessica Lopez, alleged MBO and Trustmark engaged in a “ghost payroll” scheme that involved regularly falsifying UCMC invoices, listing employes who didn’t work on the hospital’s collections and time charges from people who were not employees.

The whistleblowers, former employees of MBO and Trademark, alleged the companies and UCMC knew about the “ghost payroll” scheme, and that the allegedly falsified invoices caused the hospital to report overstated wages to the federal government, triggering a larger Medicare reimbursement than it was entitled to.

The complaint further alleged that MBO and Trustmark engaged in a “bad debt” scheme. “MBO would regularly write-off Medicare bad debts for amounts a Medicare beneficiary owed without conducting a reasonable collection effort, when Medicare beneficiaries were still paying on the debts, or when Medicare beneficiaries did not actually owe a debt,” the amended complaint states.

After writing off the bad debt, MBO would allegedly send the bad debt to Trustmark or another collection agency for further collection efforts.

On Sept. 14, Judge Harry Leinenweber of the U.S. District Court for the Northern District of Illinois dismissed the amended complaint, saying the whistleblowers failed to adequately allege the defendants engaged in a scheme to inflate bad debts and falsify invoices in University of Chicago’s cost reports. 

The allegations of a “ghost payroll” scheme fail because the whistleblowers failed to allege that defendants certified compliance with any regulation, which is required when filing a false claims case, the judge said in the decision. The amended complaint also fails to establish sufficiently UCMC’s knowledge of the alleged scheme.

The judge also ruled that the amended complaint failed to adequately allege a “bad debt” scheme. Allegations related to MBO’s and Trustmark’s bad debt reports to clients cannot satisfy the requirements to show that companies or their clients submitted improper claims for bad debt reimbursements to the government, reads the decision.