Preventing data breaches key to stopping Medicare fraud
DALLAS — Dwight Sandell, 72, was shocked when he reviewed his Medicare statement and found over $18,000 worth of charges from an out-of-state company for urinary catheters — items he never ordered or received.
"I went, I don't know what this is," recalled the Dallas resident.
Sandell promptly reported the suspected fraud to Medicare, only to be told that resolving the issue could take years. "I thought, how much fraud do they have? How many claims are they having to investigate that it is going to take that long?" he wondered.
For the past six months, the CBS News Texas I-Team has spoken with more than a dozen Medicare recipients who reported fraudulent activity on their accounts. According to a federal government report, an estimated $60 billion is lost annually to Medicare fraud.
Earlier this year, Medicare suspended the accounts of 11 medical suppliers suspected of fraudulently billing the government for nearly $3 billion worth of urinary catheters. One of these companies listed its headquarters at an office in Grand Prairie, but by the time their account was suspended, those in charge had long disappeared.
To understand the root of this problem, it's essential to know how fraudulent Medicare claims are submitted. Two key pieces of information are required: a patient's Medicare account number and a provider's identification number, known as the National Provider Identifier (NPI). Obtaining this information often involves hacking into a medical facility's computer system.
According to the FBI, healthcare organizations reported 725 data breaches last year, impacting more than 120 million people. This makes the healthcare sector the number one target of ransomware.
Cybersecurity expert Ben Singleton, owner of NetGenius in Arlington, said it's not a coincidence that Medicare fraud has increased as medical data breaches have become more prevalent.
Singleton explained that he believes these hacks on medical facilities are the direct result of the medical sector having some of the weakest cybersecurity rules of any federally regulated industry. "Until a breach happens and your medical information gets disseminated online, there's no enforcement of HIPAA regulations," Singleton said.
In May, the CEO of UnitedHealth Group, Andrew Witty, testified before the Senate Finance Committee about his company's cyberattack. Hackers had exploited servers from a UnitedHealth Group subsidiary that lacked multifactor authentication, allowing them to steal sensitive data. This breach potentially affected a third of all Americans.
Following the hearing, federal lawmakers introduced the Health Infrastructure Security and Accountability Act. This bill aims to set minimum cybersecurity standards, require annual audits, and remove the current limits on federal fines, ensuring that large corporations face penalties significant enough to discourage poor cybersecurity practices.
Reflecting on his experience, Sandell said, "It's our money. I want them to get on top of this and take Medicare rates down for their benefit and for all of us."