Initially thought to be an attack by a nation-state, actual culprit turned out to be a known ransomware group and each day brings new revelations about the cyberattack
Fallout continues from cyberattack on Change Healthcare, the revenue cycle management (RCM) company that is a business unit of Optum, itself a division of UnitedHealth Group. Recent news accounts say providers are losing an estimated $100 million per day because they cannot submit claims to Change Healthcare nor receive reimbursement for these claims.
The cyberattack took place on February 21. The following day, UnitedHealth Group filed a Material Cybersecurity Incidents report (form 8-K) with the US Securities and Exchange Commission (SEC) in which it stated it had “identified a suspected nation-state associated cybersecurity threat actor [that] had gained access to some of the Change Healthcare information technology systems.”
A few days later the real identity of the threat actor was revealed to be a ransomware group known as “BlackCat” or “ALPHV,” according to Reuters.
Change Healthcare of Nashville, Tenn., is “one of the largest commercial prescription processors in the US,” Healthcare Dive reported, adding that hospitals, pharmacies, and military facilities had difficulty transmitting prescriptions “as a result of the outage.”
Change Healthcare handles about 15 billion payments each year.
According to a Change Healthcare statement, the company “became aware of the outside threat” and “took immediate action to disconnect Change Healthcare’s systems to prevent further impact.”
Change Healthcare has provided a website where parties that have been affected by the cyberattack can find assistance and updated information on Change’s response to the intrusion and theft of its data.
“The fallout is only starting to happen now. It will get worse for consumers,” Andrew Newman (above), founder and Chief Technology Officer, ReasonLabs, told FOX Business, adding, “We know that the likely destination for [the Change Healthcare] data is the Dark Web, where BlackCat will auction it all off to the highest bidder. From there, consumers could expect to suffer from things like identity theft, credit score downgrades, and more.” Clinical laboratories are also targets of cyberattacks due to the large amount of private patient data stored on their laboratory information systems. (Photo copyright: ReasonLabs.)
Millions of Records May be in Wrong Hands
Reuters reported that ALPHV/BlackCat admitted it “stole millions of sensitive records, including medical insurance and health data from the company.”
The ransomware group has been focusing its attacks on healthcare with 70 incidents since December, according to federal agencies.
In a letter to HHS, AHA warned, “Change Healthcare’s downed systems will have an immediate adverse impact on hospital finances. … Their interrupted technology controls providers’ ability to process claims for payment, patient billing, and patient cost estimation services.”
“My understanding is Change/Optum touches almost every hospital in the US in one way or another,” John Riggi, AHA’s National Advisor for Cybersecurity and Risk, told Chief Healthcare Executive. “It has sector wide impact in potential risk. So, really, this is an attack on the entire sector.” Riggi spent nearly 30 years with the FBI.
Some physician practices may also have been impacted by the Change Healthcare cyberattack, according to the Medical Group Management Association (MGMA). In a letter to HHS, MGMA described negative changes in processes at doctors’ offices. They include delays in paper and electronic statements “for the duration of the outage.”
In addition, “prescriptions are being called into pharmacies instead of being electronically sent, so patients’ insurance information cannot be verified by pharmacies, and [the patients] are forced to self-pay or go without necessary medication.”
Here are “just a few of the consequences medical groups have felt” since the Change Healthcare cyberattack, according to the MGMA:
Substantial billing and cash flow disruptions, such as a lack of electronic claims processing. Both paper and electronic statements have been delayed. Some groups have been without any outgoing charges or incoming payments for the duration of the outage.
Limited or no electronic remittance advice from health plans. Groups are having to manually pull and post from payer portals.
Prior authorization submissions have been rejected or have not been transmittable at all. This further exacerbates what is routinely ranked the number one regulatory burden by medical groups and jeopardizes patient care.
Groups have been unable to perform eligibility checks for patients.
Many electronic prescriptions have not been transmitted, resulting in call-in prescriptions to pharmacies or paper prescriptions for patients. Subsequently, patients’ insurance information cannot be verified by pharmacies, and they are forced to self-pay or go without necessary medication.
Lack of connectivity to important data infrastructure needed for success in value-based care arrangements, and other health information technology disruptions.
Medical laboratory leaders and pathologists are advised to consult with their colleagues in IT and cybersecurity on how to best prevent ransomware attacks. Labs hold vast amount of private patient information. Recent incidents suggest more steps and strategies may be needed to protect laboratory information systems and patient data.
Federal prosecutors allege that this nurse practitioner ordered more genetic tests for Medicare beneficiaries than any other provider during 2020
Cases of Medicare fraud involving clinical laboratory testing continue to be prosecuted by the federal Department of Justice. A jury in Miami recently convicted a nurse practitioner (NP) for her role in a massive Medicare fraud scheme for millions of dollars in medically unnecessary genetic testing and durable medical equipment. She faces 75 years in prison when sentenced in December.
In their indictment, federal prosecutors alleged that from August 2018 through June 2021 Elizabeth Mercedes Hernandez, NP, of Homestead, Florida, worked with more than eight telemedicine and marketing companies to sign “thousands of orders for medically unnecessary orthotic braces and genetic tests, resulting in fraudulent Medicare billings in excess of $200 million,” according to a US Department of Justice (DOJ) news release announcing the conviction.
“Hernandez personally pocketed approximately $1.6 million in the scheme, which she used to purchase expensive cars, jewelry, home renovations, and travel,” the press release noted.
Hernandez was indicted in April 2022 as part of a larger DOJ crackdown on healthcare fraud related to the COVID-19 outbreak.
“Throughout the pandemic, we have seen trusted medical professionals orchestrate and carry out egregious crimes against their patients all for financial gain,” said Assistant Director Luis Quesada (above) of the FBI’s Criminal Investigative Division, in a DOJ press release. Clinical laboratory managers would be wise to monitor these Medicare fraud cases. (Photo copyright: Federal Bureau of Investigation.)
Nurse Practitioner Received Kickbacks and Bribes
Federal prosecutors alleged that the scheme involved telemarketing companies that contacted Medicare beneficiaries and persuaded them to request genetic tests and orthotic braces. Hernandez, they said, then signed pre-filled orders, “attesting that she had examined or treated the patients,” according to the DOJ news release.
In many cases, Hernandez had not even spoken with the patients, prosecutors said. “She then billed Medicare as though she were conducting complex office visits with these patients, and routinely billed more than 24 hours of ‘office visits’ in a single day,” according to the news release.
In total, Hernandez submitted fraudulent claims of approximately $119 million for genetic tests, the indictment stated. “In 2020, Hernandez ordered more cancer genetic (CGx) tests for Medicare beneficiaries than any other provider in the nation, including oncologists and geneticists,” according to the news release.
The indictment noted that because CGx tests do not diagnose cancer, Medicare covers them only “in limited circumstances, such as when a beneficiary had cancer and the beneficiary’s treating physician deemed such testing necessary for the beneficiary’s treatment of that cancer. Medicare did not cover CGx testing for beneficiaries who did not have cancer or lacked symptoms of cancer.”
In exchange for signing the orders, Hernandez received kickbacks and bribes from companies that claimed to be in the telemedicine business, the indictment stated.
“These healthcare fraud abuses erode the integrity and trust patients have with those in the healthcare industry … the FBI, working in coordination with our law enforcement partners, will continue to investigate and pursue those who exploit the integrity of the healthcare industry for profit,” said Assistant Director Luis Quesada of the Federal Bureau of Investigation’s Criminal Investigative Division, in the DOJ press release.
Conspirators Took Advantage of COVID-19 Pandemic
Prosecutors alleged that as part of the scheme, she and her co-conspirators took advantage of temporary amendments to rules involving telehealth services—changes that were enacted by Medicare in response to the COVID-19 pandemic.
The indictment noted that prior to the pandemic, Medicare covered expenses for telehealth services only if the beneficiary “was located in a rural or health professional shortage area,” and “was in a practitioner’s office or a specified medical facility—not at a beneficiary’s home.”
But in response to the pandemic, Medicare relaxed the restrictions to allow coverage “even if the beneficiary was not located in a rural area or a health professional shortage area, and even if the telehealth services were furnished to beneficiaries in their home.”
Hernandez was convicted of:
One count of conspiracy to commit healthcare fraud and wire fraud.
Four counts of healthcare fraud.
Three counts of making false statements.
Medscape noted that she was acquitted of two counts of healthcare fraud. The trial lasted six days, Medscape reported.
Hernandez’s sentencing hearing is scheduled for Dec. 14.
Co-Conspirators Plead Guilty
Two other co-conspirators in the case, Leonel Palatnik and Michael Stein, had previously pleaded guilty and received sentences, the Miami Herald reported.
Palatnik was co-owner of Panda Conservation Group LLC, which operated two genetic testing laboratories in Florida. Prosecutors said that Palatnik paid kickbacks to Stein, owner of 1523 Holdings LLC, “in exchange for his work arranging for telemedicine providers to authorize genetic testing orders for Panda’s laboratories,” according to a DOJ press release. The kickbacks were disguised as payments for information technology (IT) and consulting services.
“1523 Holdings then exploited temporary amendments to telehealth restrictions enacted during the pandemic by offering telehealth providers access to Medicare beneficiaries for whom they could bill consultations,” the press release states. “In exchange, these providers agreed to refer beneficiaries to Panda’s laboratories for expensive and medically unnecessary cancer and cardiovascular genetic testing.”
Palatnik pleaded guilty to his role in the kickback scheme in August 2021 and was sentenced to 82 months in prison, a DOJ press release states.
Stein pleaded guilty in April and was sentenced to five years in prison, the Miami Herald reported. He was also ordered to pay $63.3 million in restitution.
These federal cases involving clinical laboratory genetic testing and other tests and medical equipment indicate a commitment on the DOJ’s part to continue cracking down on healthcare fraud.
It did not take long for fraudsters to pursue hundreds of billions of federal dollars designated to support SARS-CoV-2 testing and it is rare when federal prosecutors bring cases only a few months after illegal lab testing schemes are identified
As if the COVID-19 pandemic weren’t bad enough, unscrupulous clinical laboratory operators quickly sought to take advantage of the critical demand for SARS-CoV-2 testing and defraud the federal government.
Unfortunately for the many defendants in these cases, federal investigations into alleged cases of fraud were launched with noteworthy speed. As a result of these investigations into alleged healthcare fraud by clinical laboratories and other organizations during fiscal year (FY) 2020, the US Department of Justice (DOJ) announced the US government has recovered $1.8 billion.
The federal prosecutions involved dozens of medical laboratory owners and operators who paid back “hundreds of millions in alleged federal healthcare program losses,” Goodwin Life Sciences Perspectives explained.
When combined with similar efforts starting in prior years, the program has returned to the federal government and private individuals a total of $3.1 billion, the DOJ noted.
“In its 24th year of operation, the program’s continued success confirms the soundness of a collaborative approach to identify and prosecute the most egregious instances of healthcare fraud, to prevent future fraud and abuse, and to protect program beneficiaries,” the report states.
According to the graphic above, which is based on analysis by B2B research company MarketsandMarkets, “North America will dominate the healthcare fraud analytics market from 2020–2025.” As clinical laboratory testing represents a significant portion of the fraud, medical lab managers will want to remain vigilant. (Graphic copyright: MarketsandMarkets.)
COVID-19 Pandemic an Opportunity for Fraud
The HHS report notes that the COVID-19 pandemic required CMS to develop a “robust fraud risk assessment process” to identify clinical laboratory fraud schemes, such as offering COVID-19 tests in exchange for personal details and Medicare information.
“In one fraud scheme, some labs are targeting retirement communities claiming to offer COVID-19 tests but are drawing blood and billing federal healthcare programs for medically unnecessary services,” the HHS report notes.
Still other alleged schemes involved billing for expensive tests and services in addition to COVID-19 testing. “For example, providers are billing a COVID-19 test with other far more expensive tests such as the Respiratory Pathogen Panel (RPP) and antibiotic resistance tests,” the report says.
“Other potentially unnecessary tests being billed along with a COVID-19 test include genetic testing and cardiac panels CPT (current procedural terminology) codes. Providers are also billing respiratory, gastrointestinal, genitourinary, and dermatologic pathogen code sets with the not otherwise specified code CPT 87798,” the report states.
Different Types of Healthcare Organizations Investigated in 2020
Beyond clinical laboratories, the HHS’ 124-page report also shares criminal and civil investigations of other healthcare organizations and areas including:
clinics,
drug companies,
durable medical equipment,
electronic health records,
home health providers,
hospice care,
hospitals and healthcare systems,
medical devices,
nursing home and facilities,
pharmacies, and
physicians/other practitioners.
According to the DOJ, “enforcement actions” in 2020 included:
1,148 new criminal healthcare fraud investigations opened,
440 defendants convicted of healthcare fraud and related crimes,
1,079 civil healthcare fraud investigations opened, and
1,498 pending civil health fraud matters at year-end.
“Federal Bureau of Investigation (FBI) investigative efforts resulted in over 407 operational disruptions of criminal fraud organizations and the dismantlement of the criminal hierarchy of more than 101 healthcare fraud criminal enterprises,” the DOJ reported.
Furthermore, the report said OIG investigations in 2020 led to:
578 criminal actions against people or organizations for Medicare-related crimes,
781 civil actions such as false claims, and
2,148 people and organizations eliminated from Medicare and Medicaid participation.
Implications for Clinical Laboratories
In 2020, OIG issued 178 reports, completed 44 evaluations, and made 689 recommendations to HHS divisions.
Clinical laboratory leaders may be most interested in those related to patient identification as a means to combating fraud and Medicare Part B lab testing reimbursement.
The HHS report says, “Medicare Advantage (MA) encounter data continue to lack National Provider Identifiers (NPIs) for providers who order and/or refer … clinical laboratory services,” adding that, “Almost half of MA organizations believe that using NPIs for ordering providers is critical for combating fraud.”
Additionally, the report states, “Medicare Part B spending for lab tests increased to $7.6 billion in 2018, despite lower payment rates for most lab tests. The $459 million spending increase was driven by:
“increased spending on genetic tests,
“ending the discount for certain chemistry tests, and the
“move to a single national fee schedule.”
Medical laboratory leaders may be surprised to learn that federal healthcare investigators were so vigorous in their investigations, even during the worst of the COVID-19 pandemic.
Vigilance is critical to ensure labs do not fall under the DOJ’s scrutiny. This HHS report, which describes the types and dollars involved in fraudulent schemes by clinical labs and other providers, could help inform revisions to federal compliance regulations and statutes.
Following the raid, the company’s co-founders resigned
from the board of directors
Microbiome testing company, uBiome, a biotechnology developer that offers at-home direct-to-consumer (DTC) test kits to health-conscious individuals who wish to learn more about the bacteria in their gut, or who want to have their microbiome genetically sequenced, has recently come under investigation by insurance companies and state regulators that are looking into the company’s business practices.
CNBC
reported that the Federal Bureau of
Investigation (FBI) raided the company’s San Francisco headquarters in
April following allegations of insurance fraud and questionable billing
practices. The alleged offenses, according to CNBC, included claims that
uBiome routinely billed patients for tests multiple times without consent.
Becker’s
Hospital Review wrote that, “Billing documents obtained by The Wall Street
Journal and described in a June 24 report further illustrate uBiome’s
allegedly improper billing and prescribing practices. For example, the
documents reportedly show that the startup would bill insurers for a lab test
of 12 to 25 gastrointestinal pathogens, despite the fact that its tests only
included information for about five pathogens.”
Company Insider Allegations Trigger FBI Raid
In its article, CNBC stated that “company insiders”
alleged it was “common practice” for uBiome to bill patients’ insurance
companies multiple times for the same test.
“The company also pressured its doctors to approve tests
with minimal oversight, according to insiders and internal documents seen by CNBC.
The practices were in service of an aggressive growth plan that focused on
increasing the number of billable tests served,” CNBC wrote.
FierceBiotech reported that, “According to previous
reports, the large insurers Anthem, Aetna, and Regence BlueCross BlueShield
have been examining the company’s billing practices for its physician-ordered
tests—as has the California Department of Insurance—with probes focusing on
possible financial connections between uBiome and the doctors ordering the
tests, as well as rumors of double-billing for tests using the same sample.”
Becker’s Hospital Review revealed that when the FBI
raided uBiome they seized employee computers. And that, following the raid,
uBiome had announced it would temporarily suspend clinical operations and not
release reports, process samples, or bill health insurance for their services.
The company also announced layoffs and that it would stop
selling SmartJane and SmartGut test kits, Becker’s reported.
uBiome Assumes New Leadership
Following the FBI raid, uBiome placed its co-founders Jessica
Richman (CEO) and Zac
Apte (CTO) on administrative leave while conducting an internal
investigation (both have since resigned from the company’s board of directors).
The company’s board of directors then named general counsel, John Rakow, to be interim CEO,
FierceBiotech
reported.
John Rakow (center) is shown above with uBiome co-founders Jessica Richman (lower left) and Zac Apte (lower right). In a company statement, Rakow stressed that he believed in the company’s products and ability to survive the scandal. His belief may be based on evidence. Researchers have been developing tests based on the human microbiome for everything from weight loss to predicting age to diagnosing cancer. Such tests are becoming increasingly popular. Dark Daily has reported on this trend in multiple e-briefings. (Photo copyrights: LinkedIn/uBiome.)
After serving two months as the interim CEO, Rakow resigned
from the position. The interim leadership of uBiome was then handed over to
three directors from Goldin
Associates, a New York City-based consulting firm, FierceBiotech
reported. They include:
SmartFlu: a nasal microbiome swab that detects bacteria and viruses associated with the flu, the common cold, and bacterial infections.
What Went Wrong?
Richman and Apte founded uBiome in 2012 with the intent of
marketing a new test that would prove a link between peoples’ microbiome and their
overall health. The two founders initially raised more than $100 million from
venture capitalists, and, according to PitchBook,
uBiome was last valued at around $600 million, Forbes
reported.
Nevertheless, as a company, uBiome’s future is uncertain. Of
greater concern to clinical laboratory leaders is whether at-home microbiology
self-test kits will become a viable, safe alternative to tests traditionally performed
by qualified personnel in controlled laboratory environments.
