2 March New Age of Identity Theft Problems March 2, 2016By Jon Coss - Blog Manager program integrity fraud, identity theft, IRS 0 Remember back to last year when the IRS announced that cyber thieves stole personal data from 100,000 taxpayers? This sophisticated scheme accumulated personal data from other sites and used it to answer identity validation questions on the IRS web site to gain access to taxpayer accounts.The 100,000 taxpayers affected? The IRS revised that number later in the year to 334,000 Last week they raised the number again to more than 700,000! Combine this with the high-profile hacks at Sony, Target, Anthem, and other organizations and one thing becomes very clear: bad actors are rapidly improving their identity theft methods.In response, government agencies need to prepare for an onslaught of fraudulent tax returns, unemployment claims, Medicaid treatments, and other services. In 2015, the IRS paid out $5.8 billion in fraudulent returns. Several of Pondera’s clients also saw dramatic increases in “ghost” beneficiaries, often paired with fictitious businesses, set up solely to defraud government programs. 2016 promises to be even more problematic.As program integrity experts, we have to recognize that we are moving into a new age of identity theft problems. We can log on to YouTube and watch a music video about Unemployment Insurance Fraud. CNN has run stories on street gangs trading liquor store holdups for benefits fraud. The barbarians are at the gate and it’s our responsibility to strengthen the defenses. Related Posts Identity Theft: Steal Once, Use Often A recent arrest in New York City illustrates a common fraud method that Pondera has been talking about for years: falsifying an identity (of an individual or business) and using it across multiple states, or in this particular case, across multiple subsidy programs within a state.In February of this year, the New York State Attorney announced the arrest of several individuals allegedly involved with a fraudulent medical supply company. The company’s owner operated under a false social security number and billed the State Medicaid system for an expensive nutritional formula required by patients with feeding tubes. In actuality, when they delivered the service at all, they dispensed lower-priced Pediasure to dramatically increase their profits—apparently ignoring the health consequences to the patient.But, as is often the case with bad actors, they didn’t stop there. In addition to their fraudulently obtained Medicaid profits, the fraudsters also used their fake socials and claimed income of less than $800 per month in order to qualify for Welfare payments. This despite the fact their medical “business” incomes were over $180,000 per year. It would not surprise me to learn that these same people were operating in other subsidy programs or in neighboring states.This is a disturbing, but somewhat logical, pattern that we see again and again. When someone goes to the trouble of creating a fake identity or business, they use it to generate as much income as possible. They “fly below the radar” of each individual program (or state) to avoid detection, but the fraud can be very lucrative in aggregate.The obvious solution to this is increased cooperation and data sharing across programs within a state and across states. The federal government has made significant efforts to support data sharing including the List of Excluded Individuals and Entities (LEIE), the Death Master File, and the Prisoner Update Processing System (PUPS) which can help identify claims that are fraudulently made by ineligible, deceased, or incarcerated identities.Our hope is that these efforts expand, including at the state level, where multiple agencies cooperate to identify cross-program fraud schemes. It is not enough to detect and then stop individual incidents of fraud. Many of these incidents are too small, when viewed as discrete occurrences, to warrant prosecution. Knowing this, enterprising fraudsters “sprinkle” their claims across multiple jurisdictions to avoid attention.Unfortunately, as was the case in New York, even these smaller, distributed fraud efforts can have an impact on patient health. The good news is that New York detected and put an end to this incident. But we all know there are thousands of similar cases each year. Old Fashioned Credit Card Fraud While shopping for groceries this week, my wife turned from her cart when a man stumbled and fell in the aisle. Less than 30 seconds later, she noticed that her wallet was missing from her purse which was sitting in the cart. Total distance from her wallet: 5 feet.Within 3 minutes, she’d called me and alerted the store about what had happened. Within 15 minutes, I’d blocked our ATM card, our credit card, and a specialty retailer card. Total Time: 18 minutes and 30 seconds.What had the robbery netted? A $1,000 gift card purchased at a kiosk at a nearby retailer with our credit card. A second $1,000 gift card purchased at the same kiosk with our ATM card (I was under the mistaken impression that this would require the PIN number). And a $5,000 gift card purchased with the specialty retailer card. Total take: $7,000. In just 18 1/2 minutes.Of course, the thieves also got away with about $150 in cash and my wife’s driver license. She was worried that we were going to be robbed that evening “because they now had our address” but I convinced her that “having our address” made us no more likely to be robbed. We also freeze our credit which offers us some protection from identity theft. So this gave us some comfort.After this incident, I wondered just how much “old fashioned” credit card fraud still exists in the United States. As it turns out, quite a bit, as 23% of the $3 billion in annual credit card fraud is still the result of lost or stolen cards. I was surprised at this number given today’s more sophisticated identity theft and forgery schemes.As often is the case with fraud though, the aftermath can be even more costly than the initial theft. Financially, even though we were not directly responsible for the fraudulent transactions, in the end, we pay through higher fees and rates. And of course, it’s very difficult to assign a cost to the trauma of being robbed at your neighborhood grocery store.The lesson in all of this for me? While it’s important to protect your identity online, don’t forget that thieves still snatch wallets, look for credit card offers in your mailbox and trash, and call your home to try to trick or intimidate you into providing sensitive information. Ambulette Fraud “Ambulette” is a term to describe the vans and cars that transport Medicaid patients to non-emergency appointments. Despite the presence of ambulettes, millions of Americans continue to miss medical appointments each year because of transportation problems. One possible answer to this problem? Rideshare companies like Uber and Lyft who sign agreements with hospitals and medical groups.In my opinion, however, rideshare companies should proceed with caution. Fraud is rampant in Non-Emergency Medical Transportation (NEMT) and the under-the-table cash temptations may prove too strong for some drivers to ignore. Kickback schemes, billing for rides never actually given, illegal referrals, and providing rides to deceased patients are common NEMT fraud schemes.The Centers for Medicare and Medicaid Services (CMS) recently gave a presentation on NEMT compliance and reporting requirements (which are the responsibility of the rideshare companies) and common fraud schemes. In one, a Medicare beneficiary drove patients to dialysis appointments but also provided the medical IDs to an ambulance company so they could bill as well. In another, a parent was jailed 30 days for billing Medicaid for trips for her child’s treatments. Although the parent was authorized to transport her child, the trips never actually took place.It’s not easy for ridesharing companies to monitor their drivers’ behaviors, especially because of the flexible driver contracts and work hours. Combine this with NEMT fraud fines that often run into the hundreds of thousands of dollars and it is clear that rideshare companies may be opening themselves up to some serious problems. 36% of Lifeline Recipients Can’t be Validated Another federal subsidy program is garnering congressional attention for large amounts of fraud, waste, and abuse. This time it’s the Lifeline program that provides discounts to low-income households for home or wireless telephone and broadband service. This program, which many Americans have likely never heard of, distributed $1.5 billion in subsidies to 12.3 million households in 2016.The problem is that a recent study by the General Accounting Office (GAO) could not confirm the eligibility of a whopping 36% of program beneficiaries. The surprising part of this is that validating eligibility is as straightforward as checking an applicant’s enrollment form against a qualifying benefit program, such as Medicaid-- if someone has already been deemed eligible for Medicaid, then they are also eligible for Lifeline.It is also troubling to note that the 84-page GAO report comes after a 2010 study that found problems with the program and led to a number of recommended reforms in 2012. Fast forward five years to today, and the problems persist.Fraud in Lifeline stems from several factors common to most government programs: pressure to distribute timely benefits, a lack of effective data matching, and service providers (in this case telecommunications carriers) that benefit from a lack of control. The GAO actually called this last one out in their report when they explained that “companies may have financial incentives to enroll as many customers as possible” despite questionable eligibility.None of the problems outlined in the report are particularly difficult to solve from a technical standpoint. But turf battles often lead to data sharing problems that lead to eligibility validation issues. And an unwillingness to enforce fraud reforms on businesses provides them with incentives to simply “look the other way”. Multiply this problem over the 2,300 federal subsidy programs operating today, and this adds up to a lot of money, all lost due to fraudulent, wasteful behavior. The Problem With Knowing What You Know I bet you cna’t bvleiee taht you can uesdtannrd waht you are rdnaieg. Unisg the icndeblire pweor of the hmuan mnid, aocdcrnig to rseecrah at Cmabrigde Uinervtisy, it dseno't mttaer in waht oderr the lterets in a wrod are, the olny irpoamtnt tihng is taht the frsit and lsat ltteer be in the rhgit pclae. The rset can be a taotl mses and you can sitll raed it whoutit a pboerlm. Tihs is bucseae the huamn mnid deos not raed ervey ltteer by istlef, but the wrod as a wlohe.The preceding paragraph, which has made its way around the Internet for years, can be really fun to share with friends. However, it also serves as a caution to anyone involved in fraud detection. In many ways, bad actors, knowingly or unknowingly, have depended on how the human mind works to perpetrate fraud schemes. Like the old expression goes, sometimes the best place for fraud to hide is in plain sight.This is especially true in government programs that process massive amounts of transactions and must adhere to a staggering number of program regulations. Traditional “top down” systems can analyze large data sets and find nothing wrong (after all, the first and last letters are in the right place). “Bottom Up” systems, on the other hand, will identify individual problems (the word is scrambled) but may miss the patterns in the data (this entire paragraph is scrambled). A common example of this is the medical provider that always “flies just below the radar” by maximizing claim amounts and frequencies.The best detection processes take both a “top down” and “bottom up” approach. They can identify individual transaction problems as well as identify patterns of bad behavior over time. In this way, you can make the old “80-20” rule work in your favor. 80% of improper payments are likely caused by 20% of program participants. If you only address each individual transaction, you’ll never run out of work but you also never really improve your program integrity efforts.Click here for an infographic on the "80-20 rule". Hurricane Harvey Brings Out the Best and the Worst in People As the residents of Houston and surrounding areas continue to struggle with the devastation caused by Hurricane Harvey, history shows us that problems will continue long after the homes and businesses have been repaired. Every large natural disaster in this country follows the same pattern: destruction brought on by the disaster, followed by looting and price gouging, followed by huge amounts of fraud committed in the chase for assistance money.In Texas, all three seem to be occurring at once. We’ve all seen the heartbreaking images and videos of families who have lost everything, unfortunately including those who lost their lives. We’ve also seen the inspiring stories of ordinary people that risk their lives to help a neighbor, a stranger, or a lost family pet.Now, of course, the looting stories are beginning to circulate. In this case, it appears that law enforcement is doing all that it can to protect life and property, including announcing mandatory jail time for all thieves and burglars. However, the scammers are wasting no time setting up Facebook pages and sending out tweets with links to “relief organizations” that are actually designed to steal money from those who want to help.I have no doubt that this fraud activity will only increase. Consider these examples following previous disasters:- Dozens of people were convicted of using fraudulent psychiatric claims following 9/11 to steal up to $50,000 per year in Social Security disability payments.- A New Jersey man was one of hundreds to receive relief funding (in his case $171,099) after falsely claiming his primary residence was a home damaged by Hurricane Sandy.- An Alabama woman filed 28 claims for disaster assistance in 5 states following Hurricane Katrina.Unfortunately, fraud thrives at the intersection of vulnerable populations and large amounts of money. And Hurricane Harvey creates this intersection by displacing so many families, by invoking a government response, and by tapping into the giving spirit of caring Americans.Even more unfortunate is the fact that most of the fraud will go undetected and unprosecuted. Consider that the vast majority of the 22,000 cases of potential fraud passed to the government's Katrina task force were never prosecuted. And it is likely that FEMA collected less than 5% of the estimated billion dollars of fraud following the Hurricane. Only by increased enforcement and stricter sentencing will we be able to break this heinous pattern. And, to me at least, this is a pattern worth breaking. Comment (0) Comments are closed.