Cybercrime , Fraud Management & Cybercrime , Fraud Risk Management

DOJ: Healthcare at Center of Biggest US Fraud Cases in 2021

Feds Collected $5 Billion in Settlements, Judgements With Health Sector Entities
DOJ: Healthcare at Center of Biggest US Fraud Cases in 2021

Of the $5.6 billion obtained by the Department of Justice in civil settlements and judgements involving false claims and fraud against the U.S. government in 2021, more than $5 billion - or nearly 90% - involved healthcare sector entities.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

In a statement released Tuesday, the Justice Department says that healthcare fraud was by far the leading source of the False Claims Act settlements and judgments it collected for fiscal 2021, which ended Sept. 30, 2021.

More than $5 billion of the $5.6 billion collected in federal false claims and fraud cases involved healthcare industry entities, including drug and medical device manufacturers, managed care providers, hospitals, pharmacies, hospice organizations, laboratories and physicians, the Justice Department says.

Additional amounts were recovered for cases involving state Medicaid programs, it says.

"Ensuring that citizens' tax dollars are protected from fraud and abuse is among the department’s top priorities,” said Brian Boynton, acting assistant attorney general in the statement. "The False Claims Act is one of the most important tools available to the department both to deter and to hold accountable those who seek to misuse public funds."

Assorted Cases

Healthcare cases resolved last year include an array of false claims and other fraud, including Medicare billing involving manipulated diagnosis codes or for unnecessary medical services, unlawful kickbacks and COVID-19-related fraud under the Paycheck Protection Program, the Justice Department says.

Last year the Justice Department reached a $27 million settlement with medical device maker St. Jude Medical Inc. in a case involving allegations that the company, between November 2014 and October 2016, knowingly sold defective, implantable heart devices and failed to disclose serious adverse health events in connection with premature battery depletion in those devices. St. Jude Medical was acquired by Abbott Laboratories in January 2017.

Various St. Jude Medical/Abbott cardiac devices were also the subject of advisories from the Food and Drug Administration and the Department of Homeland Security in 2017 related to cybersecurity, battery and other potential safety problems (see: Abbott Issues Software Patches for More Cardiac Devices).

Another Justice Department collection last year was an $18.25 settlement with electronic health record technology vendor Athenahealth Inc.

That settlement resolved allegations that the company had violated the False Claims Act and Anti-Kickback Statute, including inviting customers and prospective clients to "lavish all-expense-paid events" to bolster sales.

The Justice Department alleged that as a result of the kickbacks, Athenahealth improperly generated sales while also causing healthcare providers to submit false claims to the federal government related to the HITECH Act financial incentive program for adoption and "meaningful use" of Athenahealth's EHR technology.

The largest healthcare sector False Claims Act cases in 2021 involved settlements totaling more than $600 million with prescription opioid manufacturers including Indivior Inc., Indivior plc and Purdue Pharma, the Justice Department says.

Long-Standing Problem

Some experts note that the healthcare sector has been at the center of some of the government's largest false claims, fraud and related whistleblower - or "qui tam" - cases for some time.

"Healthcare has been a leading source of false claims act and 'qui tam' cases since the 1990s," says privacy attorney Kirk Nahra of the law firm WilmerHale. "These fraud recoveries often are driven by healthcare cases - that’s been true for many years."

In some cases, the threat of malicious insiders - including those attempting to bypass data security controls - committing fraud "is a real issue, in healthcare and really any business," he says.

"It is a real security challenge. Typically, you would try to cut off access, but that often doesn’t work for a broad variety of employees," he says. For instance, customer service workers often need access to a great deal of information to do their jobs."

"Companies have to focus on a counteracting control. If you can’t cut off the front end access, you have to be more thoughtful and creative and aggressive on policing the back end."

Cyber-Fraud Initiative

The Justice Department says its Civil Cyber-Fraud Initiative launched in October 2021 will use the False Claims Act to combat new and emerging cyber threats.

Under the initiative, the DOJ says, it will pursue "misrepresentations by companies in connection with the government’s acquisition of information technology, software, cloud-based storage and related services designed to protect highly sensitive government information from cybersecurity threats and compromises" (see: U.S. DOJ to Fine Contractors for Failure to Report Incidents).

Justice Department officials say the initiative "will hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches."

The DOJ's pursuit of fraud and reporting failures comes amid an increase in cyberattacks targeting key sectors - including the SolarWinds breach in which Russia-linked actors compromised some 100 organizations globally as well as nine federal agencies.

There also have been crippling ransomware attacks, including one on Colonial Pipeline, which temporarily halted the East Coast's fuel supply; one on meat producer JBS USA; and one on managed service provider Kaseya, in which some 1,500 downstream organizations were crypto-locked last July.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.