Welcome to the Pondera FraudCast, a weekly blog where we post information on fraud trends, lessons learned from client engagements, and observations from our investigators in the field. We hope you’ll check back often to stay current with our efforts to combat fraud, waste, and abuse in large government programs.
By this time, just about everyone has watched or read a news report about the WannaCry ransomware attack that hit the world’s computer networks on May 12th. Multiple variants of the program will likely attack computers for the foreseeable future, forcing individuals to pay bitcoin ransom or lose their data and causing serious harm to businesses including hospitals and governments.
Plenty has been written about the source of the attack and how it works. So, while every “connected” person should read about WannaCry to help protect themselves against future attacks, I don’t see any need to cover this ground here. For me, though, two interesting facets of the story really stand out.
First, I find it fascinating and somewhat inspiring that the attack was stopped by a 22-year-old vacationing cyber analyst who goes by the name MalwareTech; with assistance from his colleague Kafeine. These two, and countless others, operate in a world that most of us know almost nothing about to keep our systems safe. It reminds me of the classic Jack Nicholson speech from “A Few Good Men” where he excoriates Tom Cruise for challenging him while he protects our safety. Of course, in this example, there is no evidence of MalwareTech or Kafeine “fragging” any of their tech colleagues.
The second interesting point I took form this attack was that most of us could have protected ourselves simply by updating our operating systems and virus protection software. This is a conversation I’ve had innumerable times with my own family. Of course, this also puts software manufacturers in the difficult position of patching years-old operating systems to accommodate those who won’t or can’t upgrade.
Bottom line for me: this is just another reminder to remain vigilant and to be thankful for the computer techs who have dedicated their careers to protecting us from those who have chosen to attack us. I hope you can “handle that truth”.
One of my favorite websites, paymentaccuracy.gov, has received a number of updates which may provide some insight into the current administration’s priorities. If you haven’t done so already, I encourage you to visit the site as it provides improper payment information on the government’s high-priority programs: those that report over $750 million of improper payments in a year or have not established or reported on their error rates.
The current version of the site includes many of the usual suspects including Medicaid ($36.3 billion in errors), Medicare fee-for-service ($41.1 billion), and the Earned Income Tax Credit ($16.8 billion with a whopping 24% error rate). SNAP continues to be listed but still does not provide relative numbers because of inaccurate state reporting—something we have discussed in previous posts.
Other items of note are the inclusion of three Veterans Affairs programs for Disability Compensation, Community Care, and Purchased Long Term Services and Support. While the .59% error rate on the $64 billion Disability Compensation plan appears surprisingly low, the 75.86% error rate for the $4.7 billion Community Care program is likely the result of new reporting requirements… at least I genuinely hope so.
Other high error-rate programs include school nutrition services (both breakfast and lunch), student loan programs, and Unemployment Insurance which ticked up to 11.65% this year.
Regardless of political leanings, I think we can all agree that we want our tax dollars going to those who need them the most. And the transparency provided by paymentaccuracy.gov is a great step toward this goal. My hope is that the government will continue to provide easy access to this information. I am still disappointed each time I visit the expectmore.gov website (which reports on program performance, not just fraud, waste, and abuse) where I see the following message:
“Expect More.gov was an initiative of the George W. Bush administration. This website has been archived and is posted here as an historical resource. It has not been updated since the end of 2008 and links to many external websites and some internal pages will not work.”
Last month CNN published a horrifying report on sexual abuse in America’s nursing homes and assisted living facilities. The report provided details on dozens of assaults, rapes, and other incidents that, quite frankly, were extremely difficult to read. In my opinion, however, this level of detail is probably necessary to shock people into taking action against what CNN rightly labelled “an unchecked epidemic”.
The numbers themselves are devastating. Approximately one million senior citizens are currently residing in 15,000 government-regulated long term care facilities. Since 2000, it appears that over 16,000 cases of sexual abuse have been reported, but the number is probably higher because of complex reporting systems and processes. And it’s impossible to determine the number of unreported cases.
Between 2013 – 2016, CNN found that 1,000 government-regulated facilities had been cited for mishandling or failing to prevent sexual assaults. 100 of the facilities had been cited numerous times. And despite this, only 226 facilities were fined just $9 million. Only 16 of the facilities were cut off from Medicaid and Medicare!
What is equally disturbing to the actual cases of abuse is the blatant disregard of safeguards and even the intentional impeding of investigations. Consider a case here in California where the employer allowed a nurse to continue working for weeks after reports of him kissing and fondling a female resident. This crime, by the way, resulted in only a $27,000 fine.
At Pondera, we often say that fraud and abuse is most prevalent at the intersection of large amounts of money and vulnerable populations. This makes nursing homes “ground zero” for abuse because it is here that the escalating costs of long term care combine with dementia and other health issues that can make senior citizens problematic witnesses.
Among several recommendations made by CNN was a call for improved reporting systems. We agree that this is an important piece of the solution. It will provide greater transparency and help regulators identify trends and clusters of abuse. But clearly, stricter oversite and enforcement are needed. So too is the type of no-nonsense reporting that CNN did for this report.
It’s April, which every year brings more news about tax fraud scandals. The news this year, however, is even more disturbing than expected. IBM’s X-Force threat intelligence group released a report last week that showed a 6,000% increase in spam emails designed to steal information from W-2s and other tax documents. Last year, these criminals “earned” over $3 billion through similar scams. And if you were one of the victims, then you are already familiar with the hassles of having your return stolen or a completely false one filed using your identity.
The continuing use of the Dark Web is a major factor behind the acceleration in this form of cybercrime. Stolen identities that include tax information are currently fetching around $40 on illicit marketplaces. While this may not seem like much, it is extremely lucrative when a fishing scam succeeds at stealing thousands of identities. So lucrative, in fact, that would-be scammers can even visit the Dark Web to buy online tutorials on how to perpetrate tax fraud.
Popular scams this year include sending emails that appear to be sent from TurboTax and other tax preparation companies. The hope is that you respond because you use that tax service. So-called spearfishing scams are also targeting corporate human resource departments. They will often send an email to an HR manager, seemingly from a member of the company’s executive staff, requesting W-2 and other tax information on the company’s employees.
Cybercriminals will continue to hone their skills resulting in more convincing emails and websites. They will continue to take advantage of technologies that allow them to increase the number of outbound messages. And they will continue to learn and share new techniques on the Dark Web. This means that all of us, as businesses and as private citizens, need to step up our efforts to protect data. These days, it’s no longer just “a fool and his money” who are soon parted.
At Pondera, we are often asked whether fraud detection algorithms will ever completely replace human investigators. And while I can’t address the “ever” part of the question, I can confidently state that it will not happen in the foreseeable future. One of the major reasons for this? Prediction models, like many people, struggle to distinguish between cause and effect.
A Stanford University professor recently shared her studies on this topic which support many of our own findings. She noted that while prediction algorithms are excellent at finding patterns in large data sets, their effectiveness is limited because they struggle with determining causation. An example she used is that algorithms have been shown to help identify patients who should not receive hip surgery because they would likely die of other causes. However, the algorithms are unable to prioritize those patients who should receive the surgery.
In several cases, the professor notes that correlation can be as low as 50%. And she properly notes that while this may be fine in certain situations, governments simply cannot conduct such high-risk experiments with social welfare, economic policies, and other important matters. And unlike controlled environments, such as those that use placebos to test medications, the real world is simply too messy and unpredictable to control all factors.
This problem of causation identifies an important intersection between human reasoning and prediction algorithms. We believe that in complex, rapidly changing environments like fraud detection, effective detection systems combine the power of modern detection algorithms with experienced human reasoning.
By leveraging the individual strengths of both machine and human learning, we can analyze massive data sets and make sense of the findings. We regularly use the system to find the problem and ask the human experts to help explain the problem. This makes the results actionable, which ultimately is what our government partners require.
A recent arrest in New York City illustrates a common fraud method that Pondera has been talking about for years: falsifying an identity (of an individual or business) and using it across multiple states, or in this particular case, across multiple subsidy programs within a state.
In February of this year, the New York State Attorney announced the arrest of several individuals allegedly involved with a fraudulent medical supply company. The company’s owner operated under a false social security number and billed the State Medicaid system for an expensive nutritional formula required by patients with feeding tubes. In actuality, when they delivered the service at all, they dispensed lower-priced Pediasure to dramatically increase their profits—apparently ignoring the health consequences to the patient.
But, as is often the case with bad actors, they didn’t stop there. In addition to their fraudulently obtained Medicaid profits, the fraudsters also used their fake socials and claimed income of less than $800 per month in order to qualify for Welfare payments. This despite the fact their medical “business” incomes were over $180,000 per year. It would not surprise me to learn that these same people were operating in other subsidy programs or in neighboring states.
This is a disturbing, but somewhat logical, pattern that we see again and again. When someone goes to the trouble of creating a fake identity or business, they use it to generate as much income as possible. They “fly below the radar” of each individual program (or state) to avoid detection, but the fraud can be very lucrative in aggregate.
The obvious solution to this is increased cooperation and data sharing across programs within a state and across states. The federal government has made significant efforts to support data sharing including the List of Excluded Individuals and Entities (LEIE), the Death Master File, and the Prisoner Update Processing System (PUPS) which can help identify claims that are fraudulently made by ineligible, deceased, or incarcerated identities.
Our hope is that these efforts expand, including at the state level, where multiple agencies cooperate to identify cross-program fraud schemes. It is not enough to detect and then stop individual incidents of fraud. Many of these incidents are too small, when viewed as discrete occurrences, to warrant prosecution. Knowing this, enterprising fraudsters “sprinkle” their claims across multiple jurisdictions to avoid attention.
Unfortunately, as was the case in New York, even these smaller, distributed fraud efforts can have an impact on patient health. The good news is that New York detected and put an end to this incident. But we all know there are thousands of similar cases each year.
Earlier this year, four government agencies – Commerce, Health and Human Services, Energy, and the Environmental Protection Agency—received letters from congress directing them to provide documents and comments detailing their efforts to “identify waste and… to achieve budget savings in the next five years.” The letter referenced a report from the Pentagon that identified a “clear path” to saving over $125 billion over five years, which was subsequently suppressed because of the dramatic findings.
The Washington Post, which was mentioned in the letter from Congress, exposed the Pentagon’s internal study in December 2016. The Post explained the reason the Pentagon buried the study was that they feared Congress would cut their budget if they knew of the waste. Incredibly, the “clear path” to savings did not even require layoffs. Rather it would use attrition, early retirements, reductions in expensive contractors, and modern technology to streamline operations.
To put the size of the problem in perspective, the study showed that the defense department paid over 1 million back-office staff to support 1.3 million active duty troops (the smallest number of troops since 1940). Thanks to these large numbers, the savings from streamlining could have led to reallocating up to $125 billion for troops and weapons and rebuilding the nation’s aging nuclear arsenal. But apparently, some Pentagon officials decided that protecting against budget cuts was more important.
The four agencies who received the letter from Congress have until March 10th to respond. Their response must provide a copy of their internal reports similar to the Pentagon report, lessons learned for their department if they do not have a similar report, and any efforts the department has made to combat waste. Given that these four agency budgets total over $1 trillion, twice that of the Department of Defense, there should be ample opportunities for savings.
Shortly after Tom Brady led the New England Patriots to the greatest comeback in Super Bowl history, he noticed that his game jersey had been stolen from his bag. Asked if it was still missing hours later, he responded "Yeah, it's going to be on eBay at some point."
This got me thinking about the market for high profile stolen items like sports memorabilia and famous artwork (yes, Pondera people think a little differently than the average sports fan). How, after all, could someone hope to profit from selling such a famous jersey—certainly not by selling it on eBay.
As it turns out, the markets for stolen items like sports memorabilia and artwork are quite mature and well-defined. Stolen art obviously has a longer history and much can be learned from it. For example, pricing for stolen art is typically around 10% of the estimated value. Interestingly, this means that many of the most famous paintings are less likely to be stolen because even 10% of $100 million is a lot to pay for an item that you can’t even show to friends!
While there are notable exceptions, including the 1911 theft of Da Vinci’s Mona Lisa (recovered two years later), the large majority of art thefts are of less than $10,000 items from private homes. The items are often sold after a period of time to legitimate galleries by “owners” who claim to have inherited them. Most estimates state that only about 5% of art thefts are ever truly solved. A recent seizure of famous Dutch art on the Ukrainian black market, for example, focused on recovery versus deciphering the 10 year “chain of custody” since being stolen.
Back to Tom Brady’s jersey. While not as expensive as a famous painting, many experts estimate its value at around $500,000. This would translate to a $50,000 value on the black market. And because it is such a famous item, it certainly wouldn’t be wise to display it openly.
While $50,000 is a great deal of money, I’m not sure many of us would take the risk of avoiding the Texas Rangers for that payday.
For those who need more impetus to stay on the straight and narrow, remember that O.J. Simpson’s 33-year prison sentence stemmed from a Las Vegas robbery over sports memorabilia that he claimed was stolen from him. And while Tom Brady’s 5th Super Bowl win is sure to ease the pain of his stolen jersey, I’ll still be rooting for the Texas Rangers and Houston P.D. in their efforts to recover this important piece of sports history.
The USDA recently announced a pilot program, starting this August, to offer online access to groceries for Supplemental Nutrition Assistance Program (SNAP) recipients in seven states. Groceries will be delivered to the recipients’ homes by seven participating retailers including familiar names such as Amazon, Safeway, and Shoprite.
For many SNAP participants, this is both a tremendous convenience (saving them time) and a potential necessity (providing access to healthy foods in rural and urban “food deserts”). In fact, America’s poor have higher access to the Internet than they do to cars: 88% to 79.6%. And no one can argue that time spent with family, working, or seeking work is more valuable than time spent commuting to and shopping in grocery stores.
Of course, online transactions often lead to more opportunities for fraud. And for their part, the USDA is mandating stricter controls than those required for non-SNAP transactions, including the use of a secure PIN number on all SNAP transactions. They have also provided funding in recent years to help states address benefit card trafficking problems.
It is also known that when large sums of money are distributed through online transactions, bad actors will innovate new ways to defraud the system. In 2014, while the improper payment rate in SNAP was relatively low at 3.66%, this still represented over $2.5 billion. Perhaps more concerning is that for 2015, after the USDA worked with all 50 states to assess their payment accuracy rates, they were not able to provide an overall improper payment rate for the SNAP program because data from 42 of the 53 reporting agencies could not be validated.
In many ways, this situation encapsulates the challenges facing government organizations. While their main directive is to provide important services to citizens – which I believe includes online access to nutritious foods—they also must protect the taxpayers’ money and make sure benefits go to those who are qualified to receive them. We wish the USDA luck with this new pilot and stand ready to assist our state government clients in their program integrity efforts.
In a recent Texas senate hearing, it was revealed that in 2015, the state’s 22 Managed Care Organizations (MCOs) had recovered only $2.5 million of fraudulent payments out of $12.5 billion in claims. That’s about two-hundredths of a percent. Not one of the MCOs recovered even 1% of payments and most reported less than $20,000 in recoveries per full time investigative resource.
These numbers are stunningly low considering the actual amount of managed care fraud, estimated by the American Bar Association to be over $17.5 billion per year. There are dozens of ways to commit fraud in managed care programs including enrolling ineligible, deceased, or incarcerated individuals, collusion and kickback schemes among providers, and billing across MCOs.
In fact, many instances of managed care fraud can be even more insidious than the fraud found in fee-for-service programs. For example, rather than billing for unnecessary services which is common in fee-for service, fraudulent managed care providers are more apt to deny necessary procedures to increase their profits. They also recruit healthy members to bill capitation fees while incurring smaller expenses than those for less healthy members.
As states move more of their Medicaid populations into managed care, it is critical to not pass the responsibility of fraud detection to the MCOs. The current situation in Texas, whatever the causes, should not be tolerated. It is clear that not all MCOs will “play by the rules” and this will inevitably lead to higher capitation rates and less effective care. This is pretty ironic considering that lower costs and improved care were two of the main drivers behind moving to managed care in the first place.