Health Law Informer

On June 18, 2015, HHS Secretary Sylvia M. Burwell and DOJ Attorney General Loretta E. Lynch announced nationwide arrests in Medicare fraud schemes amounting to approximately $712 million in false billings.  Attorney General Lynch described the strike as “the largest criminal health care fraud takedown in the history of the Department of Justice, and it adds to an already remarkable record of enforcement.”

According to the Department of Justice Press Release the takedown was led by the Medicare Fraud Strike Force and resulted in 243 individuals, including 46 doctors, nurses and licensed medical professionals, being charged with Medicare fraud.  This Strike Force targeted false billings for the following services:

• Home Health
• Psychotherapy
• Physical and Occupational Therapy
• DME
• Pharmacy Fraud

The nationwide sweep included Florida, Texas, California, Louisiana, New York and Michigan.  Miami was a particular focus with 73 defendants charged and $263 million of false billings for home health, mental health and pharmacy services.

This nationwide sweep involved significant coordination between multiple government enforcement agencies and illustrates the government’s joint efforts to target health care fraud.  Included in the press conference were FBI Director James B. Comey, Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, Inspector General Daniel R. Levinson of the HHS Office of Inspector General (HHS-OIG) and Deputy Administrator and Director of CMS Center for Program Integrity Dr. Shantanu Agrawal.

Assistant Attorney General Caldwell spoke and emphasized the Criminal Division’s increased focus on Medicare fraud stating,  “Every day, the Criminal Division is more strategic in our approach to prosecuting Medicare Fraud.  We obtain and analyze billing data in real-time.  We target hot spots – areas of the country and the types of health care services where the billing data shows the potential for a high volume of fraud – and we are speeding up our investigations.  By doing this, we are increasingly able to stop schemes at the developmental stage, and to prevent them from spreading to other parts of the country.”

For further information contact Ryan P. Blaney or any member of Cozen O’Connor’s health care team.

Health care providers, insurers and all who handle information on their behalf were put on notice last week that cybersecurity must be a high priority for their organizations. Anthem, Inc. (“Anthem”), the nation’s second largest health insurer, revealed on February 4, 2015 that its information technology (“IT”) system was victimized by a “very sophisticated” cyberattack that exposed the birthdates, social security numbers, street and email addresses and employee data (including income information) of approximately 80 million customers and employees. Anthem noted that the hackers apparently did not get any health information or credit card numbers in the attack, but that the hack did yield medical information numbers. Anthem discovered the breach on its own on January 29^th and contacted the FBI, which has started an investigation into the matter.

Large hospitals and health insurers are not the only ones at risk. As the Anthem attack illustrates, health information is a high priority target for cybercriminals. Currently a complete health record may be worth at least ten times more than credit card information on the black market as health records often include a treasure trove of personal information that can be used for identity theft and to file false health insurance claims. Further, the cybersecurity protections currently in place in the health care industry tend to lag behind those in the banking and financial sector, which makes the information vulnerable to cyberattacks by criminals who view the information as “low hanging fruit.”

Failure to have robust cybersecurity programs in place can have a devastating effect on any organization that experiences a data breach. Anthem has already been hit with putative class action lawsuits in Alabama, California, Georgia and Indiana alleging that Anthem did not have adequate security procedures in place to protect its customers and it is likely that more suits will follow. In addition to the FBI’s investigation into attack, Attorney Generals in New York, Connecticut and Massachusetts have indicated that they will be reaching out to Anthem for more information about the attack, the company’s security measures and how it plans to prevent future attacks.

The Anthem breach was the largest in the health care industry so far and may be a harbinger of things to come. The FBI and other security experts have been warning that the health care industry is a key target for cybercriminals, and a single security incident resulting in a data breach can have significant and immediate consequences that include government investigations, class action lawsuits, and a hit to the organization’s reputation. To manage this risk, we encourage all companies handling health information to create, review and update their data security policies and procedures to ensure that they are doing enough to adequately protect the health information maintained on their IT systems and elsewhere in their organization.

To learn more about strategies you can use to manage your exposure, join me at the upcoming panel discussion on “Cybersecurity and Healthcare: The Key to Limiting Your Risk is being Informed” at the Greater Philadelphia Alliance of Capital and Technologies seminar on Thursday, February 26, 2015 in West Conshohocken, Pennsylvania. Click here to register.

If you cannot make the event or would like to discuss your cybersecurity needs with me directly, please contact me, Greg Fliszar, at gfliszar@cozen.com.