Federal prosecutors have indicted an employee of a Florida medical billing company in a case involving alleged identity theft and Medicaid fraud.
See Additionally: Why Your Cloud Strategy Needs a Data Strategy
In a Nov. 20 assertion, the Department of Justice says Joshua Maywalt of Tampa was indicted on 4 counts of healthcare fraud and 4 counts of aggravated identity theft in a case involving fraudulent Medicaid billing.
Prosecutors are asking the courtroom to compel Maywalt to forfeit $2.2 million and property alleged “to be traceable to proceeds of the offense.”
Maywalt faces a most penalty of 10 years in federal jail for every of the healthcare fraud counts and as much as two years’ imprisonment for every aggravated identification depend, the Justice Division says.
The defendant was a medical biller at a Florida firm that supplied credentialing and medical billing companies for its medical supplier shoppers.
“In that capability, Maywalt was capable of access and make the most of the corporate’s monetary, medical supplier and affected person data,” prosecutors say.
Maywalt was assigned to a Tampa Bay-area doctor’s account and was chargeable for submitting claims to Florida Medicaid well being upkeep organizations for companies rendered by the doctor to Medicaid recipients.
The indictment alleges that Maywalt abused his function on the medical billing firm, which it doesn’t identify, by wrongfully accessing and utilizing the agency’s affected person data and the doctor’s identify and identification quantity to submit false and fraudulent claims to a Florida Medicaid HMO for medical companies that weren’t really rendered.
“Maywalt additionally altered the ‘pay to’ data related to the Florida Medicaid HMOs’ fee processor in order that the funds for the non-rendered medical companies had been despatched to financial institution accounts below Maywalt’s management,” prosecutors allege.
Court docket paperwork point out that Maywalt pleaded not responsible and was launched on bond.
The case towards Maywalt “is one other basic instance of an ‘insider menace,” says retired FBI supervisory particular agent Jason G. Weiss, an lawyer on the legislation agency Faegre Drinker Biddle & Reath LLP.
“These threats have gotten the tail that wags the canine within the cybersecurity world. Final yr, nearly 70% of cyberattacks had an inside part,” he says.
“This can be a drawback that seems to be rising and turning into a way more severe menace that medical suppliers have to not solely concentrate on however to start implementing crucial safety controls to stop this varieties of insider assaults.”
To assist mitigate the insider menace, he says, organizations ought to take into account implementing administrative controls, akin to “separation of duties” the place a second individual is required to approve and ensure sure insider actions, akin to billing.
“There isn’t a positive fireplace ‘iron protect’ that can stop or defend towards all potential cybercrime, however the tougher you make it for potential criminals, the much less probably they could be included to go down the highway to fraud, misappropriation of funds and different varieties of cybercrime,” he says.
The case towards Maywalt additionally shines a highlight on the essential of third-party danger administration.
“It’s crucial when utilizing third-party distributors to request prison backgrounds checks and … evaluate these contractors’ funds to see if there are any ‘crimson flags’ that have to be reviewed and/or addressed in a well timed vogue,” Weiss says.
Maywalt allegedly dedicated the crimes utilizing protected well being data maintained by his employer, a medical billing firm – and that agency is a enterprise affiliate below HIPAA, notes regulatory lawyer Paul Hales of Hales Legislation Group.
“Business associates are required to observe HIPAA guidelines,” and in doing so, will help stop noncompliance points that would probably result in the varieties of crimes allegedly dedicated by Maywalt, he notes.
Steps as known as for below HIPAA embody controls for entry to PHI, log-in monitoring, audit controls and knowledge system exercise evaluate, Hales says.
“The indictment signifies Maywalt continued to entry PHI for 20 straight months to hold out his crimes,” he says. “That implies the enterprise affiliate had severe deficiencies in its HIPAA safety program.”
The message to coated entities and enterprise associates is evident, Hales says: “Lined entities should carry out common, efficient due diligence on all enterprise associates, and enterprise associates should comply totally with the HIPAA.”
To assist stop some of these insider incidents, Weiss recommends that corporations conduct random logging, evaluate occasion logs and audit the actions of all workers who’ve entry to a sufferers’ medical and billing information to make sure that there aren’t any anomalies that have to be addressed “earlier than extra rampant fraud takes place.”