In a Twist, Fraud Probe Reveals BreachFederal Investigation Uncovers Exposure of Patient Data
When data breaches are discovered, affected individuals typically watch to see if they become victims of fraud. But in a twist, a breach of patient data on a Web portal was discovered during a lengthy criminal investigation into a multi-million-dollar fraud scheme targeting a New York-based managed care organization.
Healthfirst, a not-for-profit managed care organization affiliated with six large hospitals in the New York area, on July 24 began notifying 5,300 members and former members that their protected health information may have been compromised in the course of a criminal fraud scheme targeting the organization. The Department of Justice has been investigating the scheme, involving durable medical equipment billing fraud, since 2013.
Healthfirst says in a statement that the potentially compromised PHI includes names, addresses, dates of birth, health insurance plan information, physician numbers, Healthfirst member ID numbers, patient ID numbers, claim numbers, diagnosis codes, and Medicare and Medicaid ID numbers.
The Fraud Scheme
The managed care organization says it discovered in 2013 that it was the victim of billing fraud and notified the Justice Department.
Court documents indicate the federal investigation into the crimes resulted in the indictments of a brother and sister - Chikwere Onyekwere and Uchechi Onyekwere - who were registered owners and officers of purported durable medical equipment companies located in Brooklyn. They were charged with a number of counts, including healthcare fraud conspiracy, healthcare fraud and also 12 counts of HIPAA violations, involving wrongful disclosure of PHI.
Earlier this year, both Onyekweres pleaded guilty to healthcare fraud; they're awaiting sentencing this fall. Attorneys involved in the cases - including a public defender representing Chikwere Onyekwere and U.S. attorney Peter Baldwin, who is prosecuting the cases - declined to comment. However, a source familiar with the case tells Information Security Media Group that the HIPAA counts are expected to be dropped as part of the plea agreements.
Court documents indicate that the defendants face maximum sentences of 10 years of prison time.
The defendants, who also allegedly involved others in their scheme, submitted $13 million in fake claims to Healthfirst, of which $4 million were paid, federal authorities say.
In a statement released in May 2014 when the charges against the Onyekweres were first announced, the Justice Department said that beginning in approximately 2008 and continuing through at least the end of 2013, the defendants allegedly formed a series of sham durable medical equipment companies.
The defendants allegedly used the fake companies to submit fraudulent claims to Healthfirst for reimbursement for equipment "that was purportedly provided to the organization's members, many of whom were elderly or disabled and had insurance through Medicare Part C Advantage Plans or New York Medicaid Managed Care plans," federal prosecutors said.
"In an effort to make their sham companies appear legitimate, the defendants obtained tax identification numbers from the IRS, opened bank accounts and established phony business addresses for the sham companies at UPS Store locations and other addresses where the defendants lived. The defendants also gave names to the sham companies similar to durable medical equipment companies that were approved providers in the managed care organization's network of DME providers."
As part of the scheme, the defendants allegedly placed telephone calls in which they impersonated representatives of the approved DME providers to obtain preauthorization codes from Healthfirst for claim submissions.
The PHI Breach
During the federal investigation into the scam, law enforcement officials discovered that "the perpetrator had gained access to some member information and recently notified Healthfirst of that fact," according to statement from the managed care organization. "Healthfirst immediately launched an investigation of its own and hired forensic experts to determine what patient data was accessed. On July 10, 2015, we determined that the perpetrator gained access to certain Healthfirst members' personal information between April 11, 2012, and March 26, 2014."
Frances Rao, Healthfirst vice president and chief compliance and privacy officer, explains to ISMG that by posing as a legitimate medical supplier, the fraudsters gained access to "a Web portal that providers use for their activities." Information about Healthfirst patients may have been stolen from that site, Healthfirst says in a statement.
Healthfirst is offering affected individuals one year of free identity and credit monitoring and restoration services, along with access to a confidential assistance line and an identity theft protection specialist.
"Healthfirst is taking steps to prevent a similar incident from occurring in the future, including reviewing and updating its policies, procedures and online portal security," the statement says.