Alleged Fraud at Billing Firm Spotlights Insider RisksEmployee Charged With ID Theft, Medicaid Fraud
Federal prosecutors have announced the indictment of an employee of a Florida medical billing company in a case involving alleged identity theft and Medicaid fraud.
See Also: What is next-generation AML?
In a statement on Friday, the U.S. Department of Justice says Joshua Maywalt of Tampa was indicted on four counts of healthcare fraud and four counts of aggravated identity theft in a case involving fraudulent Medicaid billing.
Prosecutors are asking the court to compel Maywalt to forfeit $2.2 million and property alleged "to be traceable to proceeds of the offense."
Maywalt faces a maximum penalty of 10 years in federal prison for each of the healthcare fraud counts and up to two years' imprisonment for each aggravated identity theft count, the Justice Department says.
The defendant was a medical biller at a Florida company that provided credentialing and medical billing services for its medical provider clients.
"In that capacity, Maywalt was able to access and utilize the company's financial, medical provider and patient information," prosecutors say.
Maywalt was assigned to a Tampa Bay-area physician's account and was responsible for submitting claims to Florida Medicaid health maintenance organizations for services rendered by the physician to Medicaid recipients.
The indictment alleges that Maywalt abused his role at the medical billing company, which it does not name, by wrongfully accessing and using the firm's patient information and the physician's name and identification number to submit false and fraudulent claims to a Florida Medicaid HMO for medical services that were not actually rendered.
"Maywalt also altered the 'pay to' information associated with the Florida Medicaid HMOs' payment processor so that the payments for the non-rendered medical services were sent to bank accounts under Maywalt's control," prosecutors allege.
Court documents indicate that Maywalt pleaded not guilty and was released on bond.
The case against Maywalt "is another classic example of an 'insider threat,'" says retired FBI supervisory special agent Jason G. Weiss, an attorney at the law firm Faegre Drinker Biddle & Reath LLP.
"These threats are becoming the tail that wags the dog in the cybersecurity world. Last year, almost 70% of cyberattacks had an inside component," he says.
"This is a problem that appears to be growing and becoming a much more serious threat that medical providers need to not only be aware of but to begin implementing critical security controls to prevent these types of insider attacks."
To help mitigate the insider threat, he says, organizations should consider implementing administrative controls, such as "separation of duties," in which a second person is needed to approve and confirm certain insider actions, such as billing.
"There is no surefire 'iron shield' that will prevent or protect against all potential cybercrime but, the harder you make it for potential criminals, the less likely they may be to go down the road to fraud, misappropriation of funds and other types of cybercrime," he says.
The case against Maywalt also shines a spotlight on the importance of third-party risk management.
"It is critical when using third-party vendors to request criminal backgrounds checks and ... review these contractors' finances to see if there are any 'red flags' that need to be reviewed and/or addressed in a timely fashion," Weiss says.
Maywalt allegedly committed the crimes using protected health information maintained by his employer, a medical billing company - and that firm is a business associate under HIPAA, notes regulatory attorney Paul Hales of Hales Law Group.
"Business associates are required to follow HIPAA rules," and, in doing so, can help prevent noncompliance issues that could potentially lead to the types of crimes allegedly committed by Maywalt, he notes.
Steps called for under HIPAA include controls for access to PHI, log-in monitoring, audit controls and information system activity review, Hales says.
"The indictment indicates Maywalt continued to access PHI for 20 straight months to carry out his crimes," he says. "That suggests the business associate had serious deficiencies in its HIPAA security program."
The message to covered entities and business associates is clear, Hales says: "Covered entities must perform regular, effective due diligence on all business associates, and business associates must comply fully with the HIPAA."
To help prevent these types of insider incidents, Weiss recommends that companies conduct random logging, review event logs and audit the activities of all employees who have access to patients' medical and billing records to ensure that there are no anomalies that need to be addressed "before more rampant fraud takes place."