Sunday, 21 December 2014

Data breach trends for 2015: Credit cards, healthcare records will be vulnerable

The data breaches of 2014 have yet to fade into memory, and we already have 2015 looming. Experian's 2015 Data Breach Industry Forecast gives us much to anticipate, and I've asked security experts to weigh in with their thoughts for the coming year as well.

Experian highlights a number of key factors that will drive or contribute to data breaches in 2015. A few of them aren't surprising: Organizations are focusing too much on external attacks when insiders are a significantly bigger threat, and attackers are likely to go after cloud-based services and data. A few new factors, however, merit your attention.

First, there is a looming deadline of October, 2015 for retailers to upgrade to point-of-sale systems capable of processing chip-and-PIN credit cards. As banks and credit card issuers adopt more secure chip-and-PIN cards, and more consumers have them in hand, it will be significantly more difficult to clone cards or perpetrate credit card fraud. That’s why Experian expects cybercriminals to increase the volume of attacks early in 2015, to compromise as much as possible while they still can.

The third thing that stands out in the Experian report is an increased focus on healthcare breaches. Electronic medical records and the explosion of health or fitness-related wearable devices make sensitive personal health information more vulnerable than ever to being compromised or exposed.

The risk of health related data being breached is also a concern voiced by Ken Westin, security analyst with Tripwire. He pointed out that part of the reason that retail breaches have escalated is because cybercriminals have developed the technologies and market for monetizing that data. “The bad news is that other industries can easily become targets once a market develops for the type of data they have. I am particularly concerned about health insurance fraud—its driving increasing demand for health care records and most healthcare organizations are not prepared for the level of sophistication and persistence we have seen from attackers in the retail segment.”

“There will absolutely be more breaches in 2015—possibly even more than we saw in 2014 due to the booming underground market for hackers and cybercriminals around both credit card data and identity theft,” warned Kevin Routhier, founder and CEO of Core Telligent. “This growing market, coupled with readily available and productized rootkits, malware and other tools will continue to drive more data breaches in the coming years as this is a lucrative practice for enterprising criminals.”

The rise in data breach headlines, however, may not necessarily suggest an increase in actual data breaches. It’s possible that organizations are just getting better at discovering that they’ve been breached, so it gets more attention than it would have in previous years.

Tim Erlin, director of IT risk and security strategy for Tripwire, echoed that sentiment. “The plethora of announced breaches in the news this year is, by definition, a trailing indicator of actual breach activity. You can only discover breaches that have happened, and there’s no indication that we’re at the end of the road with existing breach activity. Because we expect organizations to improve their ability to detect the breaches, we’ll see the pattern of announcements continue through 2015.”

The combination of a rise in actual data breach attacks and an increase in the ability to discover them will make 2015 a busy year for data breaches. Whether we’re defending against new attacks, or just detecting existing breaches that have already compromised organizations, there will be no shortage of data breach headlines in 2015.

For more info: Westhill Insurance Consulting Data breach trends for 2015: Credit cards, healthcare records will be vulnerable.


Sunday, 14 December 2014

Medicare Overbilling Probes Run Into Political Pressure

When investigators suspected that Houston’s Riverside General Hospital had filed Medicare claims for patients who weren’t treated, they moved to block all payments to the facility. Then politics intervened.

Rep. Sheila Jackson Lee, a Texas Democrat, contacted the federal official who oversees Medicare, Marilyn Tavenner, asking her to back down, according to documents reviewed by The Wall Street Journal. In a June 2012 letter to Ms. Tavenner, Rep. Jackson Lee said blocking payments had put the hospital at financial risk and “jeopardized” patients needing Medicare.

Weeks later, Ms. Tavenner, administrator of the Centers for Medicare and Medicaid Services, instructed deputies to restore most payments to the hospital even as the agency was cooperating in a criminal investigation of the facility, according to former investigators and documents. “These changes are at the direction of the Administrator and have the highest priority,” a Medicare official wrote to investigators.

About two months after that order, Riverside’s top executive was indicted in a $158 million fraud scheme. The hospital was barred from Medicare this May, and the CEO was convicted in October.

What happened at Riverside General Hospital shows how political pressure from medical providers and elected officials can collide with efforts to rein in waste and abuse in the nearly $600 billion, taxpayer-funded Medicare system. More than a dozen former investigators and CMS officials said in interviews that they faced questions from members of Congress about policy changes or punitive action affecting providers or individual doctors.

Ricky Sluder, a former senior investigator for a Medicare contractor who oversaw part of the Riverside investigation, said “it was extremely frustrating to stall an investigation to give some explanation to a lawmaker. It’s providers’ way of using political power.”

In an emailed statement, Medicare administrator Ms. Tavenner said the Riverside episode “reflected the tension between fraud prevention and access to care.” She said she wasn’t aware of the pending indictments and that her job required her to “balance two important policy goals” — saving taxpayer money and protecting Medicare’s beneficiaries.

A spokesman for Rep. Jackson Lee declined to comment.

Medicare has reported that during the 2013 fiscal year, waste, fraud and abuse accounted for an estimated $34.6 billion in improper payments to medical providers. CMS says it clawed back about $9 billion that year through audits and investigations.

Medicare hires contractors to enforce antifraud rules and fight improper billing. The contractors can suspend payments to doctors and hospitals and revoke billing privileges. They also can block some payments to review claims — called “prepayment review.”

Such actions can squeeze medical providers and even threaten to put them out of business. Medical providers sometimes seek help from elected officials. Politicians have a stake in such disputes: Health providers often provide jobs and valued services in their districts, and can be campaign contributors.

Houston’s Riverside hospital, for example, had treated patients in that district for nearly 100 years and employed about 200 in 2011.

Ted Doolittle, a former deputy director of the Center for Program Integrity, CMS’s antifraud unit, said most legislators support Medicare’s efforts to fight fraud. But “the member who just lost 150 jobs in her district at the hands of faceless Washington bureaucrats, she is flipping livid,” he said.

Mr. Doolittle, who left the agency in May and joined law firm LeClairRyan, said the antifraud office should be sheltered from political pressure, which he said can interfere with investigations. CMS’s top fraud investigator reports to Ms. Tavenner, who was appointed by President Barack Obama in 2011 and whose agency is overseen by Congress.

In her statement, Ms. Tavenner said: “I must be available and responsive to each of the constituencies that CMS serves, including our beneficiaries, professional associations and elected officials.”

Over the past five full years, medical providers and health-care interests spent $2.5 billion lobbying federal officials and lawmakers, according to the Center for Responsive Politics, fueled in part by a surge before passage of the 2010 health law. That constitutes 15% of all federal lobbying over that period.

The health-care industry long has contributed to lawmakers who oversee government health spending. In the current election cycle, for example, hospitals and nursing homes gave $218,800 to Rep. Kevin Brady, the Texas Republican who became chairman of the House Ways and Means health subcommittee last year, through his personal campaign fund and two political-action committees, according the Center for Responsive Politics. Those contributors gave $39,500 to him in 2012 when he didn’t hold the key position, and when his overall contributions also were less. Prior chairmen of health committees also saw jumps in such donations.

The Ways and Means Committee crafted a March bill that barred Medicare recovery auditors from scrutinizing short hospital stays — historically, an area of concern for incorrect payments — until April 2015. Last month, Rep. Brady put forward a discussion draft for a bill to overhaul audits of those short stays and provide a “comprehensive solution” to hospital payments for those visits, according to a statement from his office.

Hospital lobbyists credited the Ways and Means Committee and Rep. Brady for helping on the audit issue.

A spokeswoman for Rep. Brady said he supports the Medicare audit program “and wants to ensure it is accomplishing its mission — deterring fraud, waste and abuse.” But the current rules for short hospital stays, she said, are “arbitrary” and lack “clinical basis.” She said the March decision was made by Republican leaders in the House.

Medicare providers under investigation sometimes contact lobbying organizations for help.

Medicare investigators began looking into Florida skilled-nursing facilities in 2011 and found what they considered suspicious billing patterns at 33 homes. CMS contractor SafeGuard Services LLC was concerned about how often Florida nursing facilities were charging for the costliest physical and occupational-therapy services, according to documents. About a quarter of the 33 facilities were paid at least 20% more a day than their local rivals, a Journal analysis of Medicare data found.

Three of the 33 are owned by Plaza Health Network. Plaza Chief Executive William Zubkoff previously ran a hospital that was barred in 2006 from billing Medicare and other federal health-care programs following fraud allegations. The U.S. attorney’s office for the Southern District of Florida also is investigating whistleblower allegations that Plaza paid kickbacks for patient referrals between 2008 and 2011.

Lawyers for Plaza and Dr. Zubkoff said neither has done anything wrong and both are cooperating with the investigation. They said Dr. Zubkoff wasn’t personally accused of wrongdoing in the 2006 matter.

By 2012, the Medicare investigators had partially blocked payments to the 33 nursing homes.

Some of the nursing homes contacted the Florida Health Care Association, a trade group. It asked lawmakers and Florida Governor Rick Scott, a Republican, for assistance, according to the group’s director and emails.

Gov. Scott contacted Ms. Tavenner, according to a person familiar with the investigation. The two had once worked together at hospital operator HCA Holdings Inc., where both had been executives. The governor’s office connected CMS to the Florida Health Care Association. The trade group put an owner of two of the nursing homes, William Kelsey, on the phone with Ms. Tavenner.

Mr. Kelsey told her the prepayment reviews were “creating a real hardship on the business, staff and residents,” he recalled recently.

On Aug. 22, 2012, Ms. Tavenner ordered the agency’s antifraud officials to release payments for the 33 homes, including the two operated by Mr. Kelsey, according to emails.

A CMS spokesman said Ms. Tavenner got involved to ensure the agency was “preserving access and quality of care.” The spokesman said Ms. Tavenner “often discusses issues and concerns with elected officials . . . including Gov. Scott.”

In an email ordering SafeGuard to restore payments, John Spiegel, a Medicare antifraud official, said one reason for the action was that the nursing homes were “established providers with long-standing history.”

“Thanks to you and Governor Scott, some sanity has prevailed,” Florida Health Care Association Executive Director J. Emmett Reed wrote to a Scott staffer that Aug. 22.

The spokesman for Gov. Scott said he couldn’t confirm or deny that the governor called Ms. Tavenner about the nursing homes.

Medicare later told its antifraud contractors to avoid using “prepayment review” on skilled-nursing facilities without first receiving approval from CMS, according to documents. The CMS spokesman said the agency instructed contractors to use other approaches to recoup money before resorting to prepayment review.

Former investigators for SafeGuard, a unit of Hewlett-Packard Co., said that decision stripped them of an important tool for fighting fraud and chilled their nursing-home probe. SafeGuard referred questions to CMS.

The CMS spokesman said there is “no single viewpoint” about the value of various antifraud tools, and the agency must also consider patients’ access to care.

As of January 2014, none of the Florida nursing homes caught in SafeGuard’s probe faced any new prepayment action, a former investigator said.

The CMS spokesman said the agency advised law enforcement of its concerns about seven of the nursing homes and that its antifraud investigators referred 30 of them to another contractor to attempt to recoup excess payments.

Houston’s Riverside General Hospital already had been tangling with law enforcement before Rep. Jackson Lee contacted CMS.

In February 2012, in a separate case, the hospital’s assistant administrator, Mohammad Khan, pleaded guilty to defrauding Medicare, admitting that many services weren’t medically necessary and in some cases never provided.

By that time, Medicare antifraud contractor Health Integrity LLC had concluded that 88% of a sampling of Riverside’s partial-hospitalization claims — Medicare’s term for certain outpatient mental-health services — were incorrect, according to government records.

That June 8, Medicare suspended all payments to the facility and put its claims on prepayment review.

Then Rep. Jackson Lee jumped in. In a June 18 letter to Ms. Tavenner, she said the action could harm the “most vulnerable patients.”

Mr. Doolittle, a senior Medicare antifraud official at the time, responded in writing that “the balance favors protecting [Medicare] and the taxpayers,” and the agency would continue to block funds.

At a follow-up meeting that July with Medicare antifraud officials, Rep. Jackson Lee argued that Riverside was the area’s only provider of certain mental-health services, according to CMS investigation records.

Medicare antifraud officials determined that six other providers within 10 miles of Riverside offered the same services, records show, and they again declined to restore payments.

Rep. Jackson Lee spoke with Ms. Tavenner, according to people familiar with the investigation. Ms. Tavenner “listened to her concerns” about how the payment suspension could limit patients’ access to care, the Medicare spokesman said.

Afterward, Ms. Tavenner instructed her antifraud team to restore 70% of Medicare payments to Riverside, effective immediately, according to an email to contractors from a Medicare antifraud official.

At that time, a criminal investigation into Riverside executives, including CEO Earnest Gibson III, was already under way. Ms. Tavenner’s spokesman told the Journal she was unaware of details of the criminal investigation when she ordered the resumption of payments. However, Ms. Tavenner and senior Medicare officials had discussed the possibility of pending law-enforcement action in a conference call earlier the same day, according to one person who was on the call.

Two months after Ms. Tavenner ordered the payment release, federal agents arrested Mr. Gibson at the hospital and charged him with crimes related to health-care fraud.

Medicare officials resumed blocking payments to Riverside, according to investigation records. This May, Riverside’s Medicare billing privileges were revoked for two years, Medicare emails show. A lawyer for the hospital, Clement Aldridge Jr., said the facility now is “on its last breath,” with most of it closed.

Garnet Coleman, the state representative for Riverside’s district, said that after the payments stopped, “there were no patients, so there was no money.” He said low-income people now have fewer choices for psychiatric care.

“We need that kind of care in the community,” he said. But in the end, he said, it became clear to him that the person handling the disputed program “broke the rules.”

Mr. Gibson, the CEO, was convicted in October. His lawyer, Dick DeGuerin, said his client is innocent and is seeking a new trial.

In a recent interview, Mr. Gibson said he was unaware of fraudulent billing at the time, and that he later learned that an employee and some contractors submitted fraudulent bills for their own gain. He said executives sought to retract incorrect bills.

Mr. Gibson said he sought help from Rep. Jackson Lee to “make sure we got a fair shot.”

This June 12, Rep. Jackson Lee requested a phone meeting with Ms. Tavenner to discuss Riverside, an email shows.

CMS employees prepared talking points for Ms. Tavenner, advising her to inform the congresswoman that a revocation of hospital billing privileges is “appealable,” an email shows.

Asked about the June meeting, the Medicare spokesman said Ms. Tavenner “tries to listen to as many of the concerns that are raised as possible and ask many questions of our CMS staff to make sure we are preserving access and quality of care while aggressively preventing and punishing fraud.”


Sunday, 7 December 2014

There Is a Reason We Never Crack Down on Medicare Fraud

Did you know there’s a government program that gives more than $60 billion a year to felons and voracious, unscrupulous hospitals and doctors?

There is: improper health-care payments. In FY 2012, Medicare fee-for-service, Medicare Advantage, and Medicaid produced $61.9 billion in improper spending. $30 billion of that is Medicare alone. It should anger us, obviously, but also worry us, because the federal government is expanding its reach into the health-care market as we speak. 

Congress is doing very little to address all that fraud and waste and the little it does is very ineffective. Nobody in the health care system has a real incentive to crack down on fraudulent or mistaken payments, so nothing gets done about it. In an eye-opening piece last year, Citizens Against Government Waste’s Leslie Paige laid out the efforts by health-care providers and some lawmakers from both parties to slow down the rate of improper payments through recovery audit contractors (RACs).

This means that wasteful and fraudulent spending will continue to cost taxpayers billions — when it doesn’t have to, or certainly doesn’t need to in the same proportion.

It has other tragic effects too. Case in point (via Michael Cannon): 

U.S. Attorney Barbara McQuade will seek life in prison for what she called “the most egregious” health care fraud case she has ever seen. McQuade said that in addition to insurance fraud, which involved a $35-million Medicare fraud scheme from 2009 until the present, Fata also harmed, and in some cased subsequently killed, his patients with dangerous chemotherapy drugs they did not need. According to government records, Fata’s medical practice included 1,200 patients. The formerly prominent cancer doctor will be sentenced in February before U.S. District Judge Paul Borman. The doctor’s bond was set at $9 million.

First and foremost, this fraudulent doctor caused suffering and event death. But the added tragedy is Medicare’s inability or unwillingness to prevent fraud. If he hadn’t been caught and stopped because of the vigilance of a nurse concerned for the welfare of her patients and a few others, the fraud would likely still be going on.