DOJ charges 10 individuals for allegedly spoofing emails, defrauding healthcare payers, hospitals

The U.S. Department of Justice issued charges this week alleging that 10 individuals posed as business partners and fraudulently diverted patient payments intended for hospitals providing insureds’ medical services.

WHY IT MATTERS
The DOJ announced that the charges stem from business email compromise and wire fraud acts that snared five state Medicaid programs, two Medicare Administrative Contractors and two private health insurers

The public and private health insurers allegedly were deceived into making payments to the defendants and their co-conspirators instead of depositing the reimbursement payments into bank accounts belonging to the hospitals, according to the statement.

The defendants – one in South Carolina, another in Virginia and eight in Georgia – are alleged to have used spoofed email addresses and other deceptive methods to deceive the healthcare payers into believing they were making legitimate payments.

The investigation found more than $4.7 million in losses to Medicare, Medicaid and private health insurers and $6.4 million in losses to other federal government agencies, private companies and some elderly individuals.

“These indictments demonstrate our unwavering commitment to fighting internet crime and holding internet fraudsters accountable, particularly when their schemes target taxpayer-funded programs intended to benefit the most vulnerable among us,” said Adair Boroughs, an attorney for the District of South Carolina.

The defendants and their co-conspirators allegedly laundered the fraudulently obtained payments from these healthcare benefit plans and other victims by layering large amounts of cash through accounts they or their co-conspirators opened in the names of false and stolen identities and shell companies.

They allegedly transferred funds overseas and purchased luxury goods and automobiles.

“Millions of American citizens rely on Medicaid, Medicare and other healthcare systems for their healthcare needs. These subjects utilized complex financial schemes, such as BECs and money laundering, to defraud and undermine healthcare systems across the United States,” said Luis Quesada, assistant director of the FBI’s Criminal Investigative Division.

In each case, a federal district court judge will determine any sentence, with maximum penalties ranging from 20-30 years in prison, said the DOJ.

In June, one of the 10 individuals investigated pleaded guilty to charges ranging from using a false passport to create a shell company that obtained more than $1.5 million from BEC schemes targeting two state Medicaid programs, the IRS, the SBA, a private company and two elderly individuals and in September was sentenced to four years in prison.

THE LARGER TREND
Spoofing and other BEC tactics are where criminals make the most money, according to Steve Winterfeld, advisory CISO at Akamai.

Winterfeld will be speaking on a panel panel on aligning stakeholders on cybersecurity risks at the upcoming HIMSS Healthcare Cybersecurity Forum. He recently shared some insights on just how easy it is to become a potential cyberattack victim.

Phishing and spoofing attempts against healthcare organizations and their employees have been on the rise for more than five years. A report by Proofpoint found that more than 77% of email attacks on healthcare organizations during the previous two years used malicious URLs.

“While the cyberattack techniques against healthcare organizations vary and evolve, one common thread is that they attack people, not just technology,” said Ryan Witt, Proofpoint managing director, in the report. “They exploit healthcare workers’ curiosity, time constraints in acute care settings and their desire to serve. Combating these attacks requires a new and people-centered approach to security.”

ON THE RECORD
“The Criminal Division and our partners are committed to holding accountable those who seek to line their own pockets through sophisticated business email compromise and money laundering schemes targeting public and private health insurers as well as individual victims,” Kenneth Polite, Jr., assistant attorney general for the DOJ’s Criminal Division, said in the statement.

“These allegations depict a brazen effort to siphon monies, in part, from essential healthcare programs to instead fund personal gain,” Christian Schrank, deputy inspector general for investigations for HHS-OIG, added.

“This coordinated action is a prime example of the commitment that HHS-OIG and our law enforcement partners have to defending the federal health care system against fraud,” he said.