Fraud Management & Cybercrime , HIPAA/HITECH , Standards, Regulations & Compliance

Medicare Fraud Conspiracy Included HIPAA Violations

Three Sentenced to Prison for Scheme That Targeted Seniors
Medicare Fraud Conspiracy Included HIPAA Violations

Three individuals have been sentenced to serve time in federal prison after pleading guilty to participating in a $1 million Medicare fraud conspiracy that included criminal HIPAA violations.

See Also: 7 Steps to Help Prevent Ransomware Attacks Against Healthcare Delivery Organizations

The scheme involved scaring senior citizens into having unnecessary genetic tests performed by labs associated with the trio, billing Medicare for the tests, and then having the patients' test results sent to fake email accounts controlled by the conspirators.

The Department of Justice said Kenneth Johnson of Lorton, Virginia, was sentenced May 20 in a New Jersey federal court to 19 months in prison for his role in the scheme that used the purported not-for-profit Good Samaritans of America to defraud the Medicare program by convincing hundreds of senior citizens to submit to unneeded DNA testing.

Johnson previously pleaded guilty to one count of conspiracy to commit healthcare fraud and one count of conspiring to wrongfully access individually identifiable information. He was also ordered to pay restitution of nearly $527,000.


Johnson's sentencing followed the sentencing of his two co-defendants in the case, who also previously pleaded guilty.

Sheila Kahl, of Ocean County, New Jersey, was sentenced to 13 months in prison after also pleading guilty to one count of conspiracy to commit healthcare fraud and one count of conspiring to wrongfully access individually identifiable information. She was ordered to pay $1.2 million in restitution.

A third defendant, Seth Rehfuss, of Somerset, New Jersey, received the stiffest prison sentence after pleading guilty last year to one count of conspiracy to commit healthcare fraud. He was sentenced to 50 months in prison and ordered to pay nearly $435,000 in restitution. Rehfuss is appealing his sentence.

Fraud Scheme

The Department of Justice says Rehfuss founded Good Samaritans of America as a front to gain access to groups of senior citizens at low-income housing complexes. Rehfuss and his co-conspirators advertised free ice cream events at senior centers throughout New Jersey and persuaded the elderly to submit to genetic tests without any involvement of a healthcare professional, prosecutors say.

"Contrary to what he told the senior citizens and staff at the housing complexes, Rehfuss was a sales representative for laboratories, a fact he concealed from his targets," the Justice Department says.

"In order to convince senior citizens to submit to genetic testing, he used fear-based tactics during the presentations, including suggesting the senior citizens would be vulnerable to heart attacks, stroke, cancer and suicide if they did not have the genetic testing."

To get the tests authorized, Rehfuss used advertisements on Craigslist to recruit healthcare providers for the scheme. The healthcare providers were paid thousands of dollars per month by Rehfuss and others to sign their names to requisition forms authorizing testing for patients who they never examined and with whom they never had any interaction, the DOJ says.

Wrongful Access

"The conspirators established email accounts, phone numbers, and made-up 'office manager' names for the requisition forms that made it seem as though the healthcare providers were actually treating the patients being swabbed and would be evaluating the test results," prosecutors say.

"Rehfuss, Kahl, Johnson, and others caused the Medicare program to pay two clinical laboratories for the fraudulent test claims that the scheme generated. They obtained and divided more than $100,000 in commission payments from the laboratories," the Justice Department says.

Court documents say that the conspirators created email accounts that purported to be for healthcare providers but which they controlled in order to access the individually identifiable health information - including test results - of senior citizens that agreed to testing.

"This case illustrates the hidden criminal value of a person's PHI. Criminals will deploy old tactics and new technology as necessary to steal that value."
—Chistopher Ott, Davis Wright Tremaine

Prosecutors alleged that the conspirators were also working toward expanding the scheme outside of New Jersey into other states, including Georgia, Delaware, Virginia, Maryland, Pennsylvania, South Carolina, Michigan, Mississippi, Florida, Tennessee and Arizona.

HIPAA Crimes

Among alleged crimes committed by the defendants are criminal violations of HIPAA, notes attorney Christopher Ott of the law firm Davis Wright Tremaine, who is not involved in the case but is a former Department of Justice litigator.

"Accessing protected health information, which in this case specifically included the victims' names, dates of birth, Social Security numbers and genetic profile, are contrary ... to parts of HIPAA," he says. "The intent to use that information for personal gain is a felony."

Privacy attorney Kirk Nahra of the law firm WilmerHale, who also is not involved in the case, notes that this incident is more of a healthcare fraud case than a privacy case. "The privacy element becomes part of the overall scheme, but this is at heart an effort to defraud the healthcare system through manipulating patients and the provider system," he says.

"Because the healthcare system relies so heavily on third-party payments, patients - particularly vulnerable patients - have always been susceptible to this kind of manipulation."

Preventing Fraud

So what can healthcare entities do to prevent patient information from being used for fraudulent purposes?

"Employees can be trained to review email addresses for oddities or other problems and should always be thinking about problematic possibilities," Nahra says. "But a case like this also shows how vulnerable the healthcare system is to this kind of fraud, even after more than two decades of trying to fight it."

Organizations need to continually scrutinize their information governance infrastructures and rules "to stay ahead of the bad guys and spot unusual activity," Ott contends. "This case illustrates the hidden criminal value of a person's PHI. Criminals will deploy old tactics and new technology as necessary to steal that value."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.