Image result for cybersecurity


What does cyber fraud look like for a hospital or a healthcare group? Where does it happen, and how can organizations protect themselves? As you assess the security of your organization, here are top trends, emerging threats and things to consider.

1. Don’t forget the basics

As complicated as cyber fraud may seem, don’t forget the basics. The scariest headlines for healthcare executives are about fraudsters using ransomware to shut down a system, as happened to the UK’s National Health Service in 2017. But a breach doesn’t require sophistication. “A lot of cyber fraud continues to be perpetrated via good old-fashioned phishing techniques,” says Charles Alston, Market Executive at Bank of America Merrill Lynch. “Fraudsters send an email that gets them into an organization. Then employees, oftentimes even though thoroughly trained, can make an error in judgment by clicking on a link or responding to a fraudulent email. That one action ends up pulling a thread that creates a system wide problem.”

2. Watch for wire fraud

In addition to straightforward check and ACH fraud, “Healthcare is just as susceptible as any other business to wirefraud,” Alston says. In a wirefraud, the fraudster sends an email to a treasury employee that appears to be from a top-level executive in the organization; often it will be sophisticated enough to mimic the executive’s writing style, or arrive when the exec is at a conference or on vacation, and hard to reach. The message asks the recipient to wire funds to an account—again, presenting it as an emergency or time-sensitive situation. The recipient is reluctant to turn down the request, since it’s coming from management. “People ask, ‘Why would a controller or treasury employee respond to an email like that?’” Alston says. “Well, it appears legitimate, and it’s a rare event; no one has likely seen something like that before.

And once that transfer is executed, the money is gone, because employees hadn’t been trained, or regularly reminded about such types of fraud, and there wasn’t a process in place to handle such situations. These are the situations that training can help avoid.”

3. Monitor for ransomware

Criminals’ use of ransomware is a threat that organizations should consider carefully, and will handle best if well prepared. One of the most effective preparation tools is a tabletop exercise that can walk the organization through a simulated ransomware event.

Doing a simulation can help answer the key questions: Would we be able to identify a situation and stop it? Would we be able to trace where it came from? Do we have all the right disciplines at the table? What kind of communications do we need to let people know what’s happening? Can we get the system back up? Many executives may be tempted to invest in cryptocurrency like Bitcoin, so they’re able to quickly pay in the event of a ransom demand, but should carefully consider whether paying a ransom is the best solution. Lynn Wiatrowski, National Treasury Executive at Bank of America Merrill Lynch suggests that healthcare providers, who often train for emergency medical events and natural disasters, can apply those learnings to handle a cyber fraud event.

4. Tighten provider-insurer connections

The connections between healthcare providers and insurance companies can create cracks where cyber fraud can flourish. “The structure of health insurance involves a lot of transactions and a slow process, a complicated architecture. And there is a lot of money fueling the system,” says Roger Boucher, Market Executive at Bank of America Merrill Lynch. “The process of reimbursement creates a back and forth interaction that the patient never sees; it can be weeks or months of submission, denial, resubmission, correction, denial (again), before the bills are processed. That lag creates a vulnerability. With so much data traveling back and forth, and such delays in payment, crooks find a way to insert themselves in the gap.” He says healthcare providers need to assess, and continually re-assess, the reimbursement process to double check that insurance companies are sending payments to the correct entity

5. Protect patient data

Patient data needs to be protected in as many ways as possible. Not only do healthcare providers need to be cognizant of patient privacy and HIPAA rules, they need to continually remind themselves that patient data is currency for criminals. As patient records are migrated from paper to digital forms, organizations need to be vigilant in keeping track of older records and how they are handled, stored or disposed of. Policies need to be in place to ensure safety, for instance, when employees handle patient data while working at home. Similarly, to keep records safe and up to date, providers need to regularly back up the data contained in their computer systems. Organizations will complain that backing up the database for the entire system is too time-consuming, or creates too much downtime. A solution is to break the data into smaller pieces, backing up a department or a piece at a time.

6. Keep tabs on third-parties

Whether it’s insurance companies, labs, doctors’ offices or other partners, an organization is only as protected as the third parties it works with and shares its computer connections and its data with. “A healthcare organization should be asking, ‘Where is all my data going, and who is keeping an eye on it?” Boucher says.

A strong vendor management program should include regularly checking the data protection policies and cybersecurity procedures of vendors, third-party services and strategic partners to make sure everyone is on the same page. “When contracts are reviewed, there should be an opportunity to build on a security element as well as outline liability of loss, if those items do not already exist,” Alston says.

7. Secure new equipment

The industry has been buzzing about how new products in the internet of things and medical devices are offering new entry points into a healthcare system. “When a hospital is introducing the newest, most sophisticated piece of medical equipment, thoughts are on the difference this new technology will make in patients’ lives, rather than considering that the new technology may also be introducing a cyberthreat,” Wiatrowski says. “It is not second nature to think about who is on the other end of those pieces of equipment, and what entry points may be introduced.”

8. Stay alert for new threats

Finally, remember that the threat environment will continue to evolve. Stay updated on the newest forms of cyberattacks by reading trade publications, attending conferences and webinars to share information with your peers, and comparing notes with your own strategic partners about what they are seeing. Says Alston, “There is a lot more ground to protect if you are in a healthcare organization, and a lot more opportunity for fraud to occur. And it’s hard to stop something if you have never seen it before. That’s why ongoing education and training are so important.”



Healthcare CEO sentenced to 19 years for $18M physical therapy fraud scheme

Image result for dept of justice

The former CEO of Team Work Ready, a Houston-based physical therapy chain, was sentenced June 1 to more than 19 years in prison for his role in an $18 million healthcare fraud scheme, according to the Department of Justice.

The sentencing came after a federal jury convicted Jeffrey Eugene Rose Sr. of healthcare fraud, conspiracy, wire fraud and money laundering in October 2016. Mr. Rose was one of three Team Work Ready executives convicted in the scheme.

According to federal prosecutors, Mr. Rose and his co-conspirators submitted $18.3 million in fraudulent claims for physical therapy services that were never provided through Mr. Rose’s 10 Team Work Ready clinics in Texas, Louisiana, Georgia, Tennessee and Alabama. The claims were submitted under the Federal Employees Compensation Act, which is administered by the Department of Labor’s Office of Workers’ Compensation Program.

In addition to the prison term, Mr. Rose was ordered to pay $14.5 million in restitution to the DOL’s Office of Workers’ Compensation Program.



Former finance director gets prison time for stealing $3.9M from UNC hospital

Image result for embezzlement


The former finance director for High Point (N.C.) Regional Hospital, part of Chapel Hill, N.C.-based UNC Health Care, was sentenced May 3 to 8.5 years in prison for embezzling $3.9 million from the hospital, according to the Department of Justice.

Kimberly Hobson worked in the accounting and finance department at High Point Regional Hospital for more than 20 years, most recently as finance director. She was fired after the hospital discovered her embezzlement in July 2017, according to the Winston-Salem Journal.

Ms. Hobson was charged with wire fraud, bank fraud and aggravated identity theft. She pleaded guilty in February.

Over a 10-year period, Ms. Hobson wrote checks to herself and her family members, which were deposited in her personal bank account. She also sent payments from hospital accounts to her personal loans and credit cards, used a hospital-issued credit card for personal expenses, and substituted her bank account for the direct deposit accounts of nine other employees, according to the DOJ.

“Today’s stiff sentence serves notice that white collar criminals will be brought to justice,” said U.S. Attorney Matthew G.T. Martin of the Middle District of North Carolina. “Thank you to the law enforcement officers with the Department of Treasury, U.S. Secret Service, Guilford County Sheriff’s Department, and High Point Police Department who have worked diligently to uncover Ms. Hobson’s fraud and seek restitution for the hospital.”


Florida hospital CEO charged with fraud after allegedly embezzling funds


Former chief executive of Calhoun-Liberty Hospital is charged with using money to pay various personal expenses.

A former Florida hospital CEO has been indicted by a federal grand jury on charges he embezzled money from the hospital where he worked through false billing practices and a shell company, according to the U.S. Department of Justice.

Phillip Hill Jr. of Blountstown, Florida has been indicted on 24 counts of wire fraud and 4 counts of filing false tax returns. The indictment alleges that between 2010 and 2015, when Hill served in dual roles as Chief Executive Officer and department head of Emergency Management Services, to embezzle money from Calhoun-Liberty Hospital.  According to the indictment, he billed the hospital for goods it never received using invoices in the name of “Southeastern Medical Supply,” a fake business connected to a bank account he himself controlled. The indictment also stated that Hill ordered medical supplies from eBay and other vendors then billed the hospital for them supplies at price points far exceeding what Hill actually paid, the DOJ said.

According to the indictment, Hill used the funds in the Southeastern bank account to pay personal credit card bills, fund a business he owned and operated, to obtain cash, and to pay personal expenses including groceries and travel.

The DOJ also said the indicated that an employee at the hospital once inquired after contact information for Southeastern Medical Supply, and Hill responded that he had lost his phone and didn’t have the number, and also that the last time he had “talked with” the company they were discussing going out of business.

The maximum penalty for each wire fraud count is 20 years in prison. The maximum penalty for each count of filing false tax returns is 3 years in prison.  A trial date of this July 2nd has been set. The case was investigated by the Internal Revenue Service — Criminal Investigation, the Florida Department of Law Enforcement, and the Blountstown Police Department.

Ex-director of finance accused of embezzling $3M from North Carolina hospital

Image result for federal indictment


High Point (N.C.) Regional Hospital’s former director of finance is accused of stealing more than $3 million from the hospital between Jan. 1, 2003, and Aug. 15, 2017, according to WXII 12 News.

According to a federal indictment, Kimberly Russell Hobson defrauded the hospital by issuing unauthorized and forged checks payable to herself and relatives. She’s also accused of using the hospital’s credit cards for personal expenses.

Ms. Hobson used money embezzled from the hospital to purchase luxury vehicles, a motorcycle and other items for personal use, according to court documents.

Ms. Hobson is charged with seven counts of wire fraud, two counts of bank fraud, five counts of aggravated identity theft, and one count of possessing and uttering counterfeit securities, according to the report.

A spokesperson for High Point Regional Hospital told WXII 12 News Ms. Hobson was removed from her position at the hospital last summer.


Former healthcare CFO sentenced to more than 3 years in prison for fraud

Related image

U.S. District Judge Malcolm J. Howard sentenced William Canupp, former CFO of Beulaville, N.C.-based Eastpointe Human Services, to 3 1/2 years for wire fraud, tax fraud and conspiracy to commit federal program fraud, according to The Wilson Times.

Mr. Canupp served as Eastpointe’s CFO from March 2010 to April 2013. Eastpointe manages the public sector behavioral health system for several counties in eastern North Carolina.

On May 24, 2016, a federal grand jury returned a 47-count indictment against Mr. Canupp, charging him with conspiracy, bribery, organization fraud, wire fraud and money laundering. The indictment was issued nearly one year after a state audit found Mr. Canupp had facilitated kickbacks from two Eastpointe contractors. The audit revealed Eastpointe paid two contractors more than $1 million for renovations from 2010 to 2013. Each time a check was received from Eastpointe, the contractor wrote a personal check to Mr. Canupp. The contractors paid the former CFO a total of $547,595.

Mr. Canupp pleaded guilty in March to conspiracy to commit federal program fraud, wire fraud and tax fraud, according to The Wilson Times.


Former Non-Profit Health Clinics CEO Sentenced to 18 Years for Funneling Millions in Grant Money to Private Companies

Image result for Embezzlement

The former CEO of two Alabama health clinics has been sentenced to 18 years in prison for his role in a fraud scheme, according to the Department of Justice.

According to the DOJ, 53-year-old Jonathan Dunning left his post as CEO of Birmingham (Ala.) Health Care and Central Alabama Comprehensive Health in Tuskegee in 2008. However, he continued to exercise control over the two nonprofit health clinics and diverted government funds meant for the clinics to his own for-profit companies, according to the DOJ.

In June, a federal jury convicted Mr. Dunning of 62 counts of wire fraud, 33 counts of money laundering and two counts of bank fraud. A jury also found him guilty of one count of conspiracy, finding that he conspired with another person to commit wire fraud, bank fraud and money laundering.

Over a seven-year period, Mr. Dunning defrauded HHS, the Health Resources and Service Administration, the two clinics, a credit union and others out of more than $16 million, according to the government’s sentencing memorandum.

Former healthcare CFO charged with bribery, fraud


A federal grand jury returned a 47-count indictment Tuesday against the former CFO of a Medicaid-funded behavioral health system in North Carolina, according to the Department of Justice.

The indictment charged William Canupp, former CFO of Beulaville, N.C.-based Eastpointe Human Services, with conspiracy, bribery, organization fraud, wire fraud and money laundering. Eastpointe manages the public sector behavioral health system for several counties in Eastern North Carolina.