Kusserow on Compliance: Arrest of the University of Pittsburgh Medical Center hacker

An individual was indicted by a federal grand jury in Pittsburgh and arrested on charges associated with the 2014 “hacking” theft of University of Pittsburgh Medical Center (UPMC) human resources database that included personally identifiable information (PII) of over 65,000 UPMC employees. He was charged with fraud, aggravated identity theft, and selling of the information on the dark web to buyers around the world. The buyers, in turn, engaged in massive campaign of further scams and theft, including the filing of thousands of false IRS tax returns, leading to $1.7 million in false tax return refunds.

Additionally, the indictment alleges that the hacker, from 2014 through 2017, using the acronyms “TDS” or “DS,” regularly sold other PII to buyers on dark web forums, which could be used to commit identity theft and bank fraud. According to the Indictment, the hacker sold the stolen information on dark web forums for use by conspirators, who promptly filed hundreds of false tax return Form-1040 using UPMC employee PII. These false 1040 filings claimed hundreds of thousands of dollars of false tax refunds, which they converted into Amazon.com gift cards, which were then used to purchase Amazon merchandise which was shipped to Venezuela. The case was investigated by the Secret Service, IRS, and Postal Inspection Service. As a side note, six years ago, the case resulted in a major legal battle after employees sued UPMC for negligence and breach of contract. The state high court also ruled that UPMC may be responsible monetary damages if the plaintiffs can prove the health system acted negligently.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ moves on first criminal cases of COVID-19 fraud

The Department of Justice (DOJ) brought fraud charges against the president of a medical technology company in connection with a scheme to commit health care fraud with the submission of over $69 million in false and fraudulent claims for allergy and COVID-19 testing. The allegation is that he defrauded Medicare through illegal kickbacks and bribes and then turned to exploiting the pandemic by fraudulently promoting an unproven COVID-19 test to the market. The hoax leveraged off the fear of the pandemic with the company touting that his laboratory was the only one in the world that offered revolutionary “microarray technology,” which tested allergies and COVID-19 based on a drop of blood that was 250,000 times smaller than the amount required by technology touted by others.

The press announcement stated that beginning in or around 2018 and continuing to in or around February 2020, the company president and others paid kickbacks and bribes to recruiters and doctors to run an allergy screening test, using his Arrayit product, on every patient regardless of medical necessity, and then made numerous misrepresentations about the results. As the COVID-19 crisis began to escalate in March 2020, he and others made false claims concerning Arrayit’s ability to provide accurate, fast, reliable and cheap COVID-19 tests in compliance with state and federal regulations, and made numerous misrepresentations to potential investors about the COVID-19 tests and Arrayit’s future prospects for COVID-19 testing. The company president stated that it was simple to develop a test for COVID-19 because the switch from testing for allergies to testing for COVID-19 was a simple and easy step, but he and others never disclosed that there were questions about the validity of its data and the accuracy of its COVID-19 test. The press announcement reaffirmed that investigating COVID-19 fraud scams billed to federal health programs continues to be a top priority, noting that ongoing public health crisis has spawned a rash of fraudulent schemes.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ, OIG promote a ‘Culture of Compliance,’ Strategic Management can help

The Department of Justice (DOJ) “Evaluation of Corporate Compliance Programs” notes that an effective compliance program includes “[t]he company’s culture of compliance.” It also states it is important for a company to create and foster a culture of ethics and compliance with the law and for executive leadership to implement a culture of compliance from the top. The DOJ calls for its prosecutors to assess whether the company has established processes that incorporate the culture of compliance into its day-to-day operations. The OIG stresses similar points in its Compliance Program Guidance by stating that compliance efforts need to be designed to establish a culture that promotes prevention, detection and resolution of instances of conduct that violate applicable laws, regulations, health care program requirements, and ethical and business practices. The OIG further advises that consideration should be given to using questionnaires that solicit impressions of a broad cross-section of employees and staff. Elsewhere the OIG recommends evaluations of compliance program through “employee surveys.” The U.S. Sentencing Commission Guidelines notes the importance of organizations to develop institutional compliance cultures that discourage criminal conduct and that an effective compliance program must “promote an organizational culture that encourages ethical conduct and a commitment to compliance.”

Solution to Measuring and Benchmarking Compliance Culture

Since 1993, Strategic Management has employed its healthcare compliance culture benchmark survey, on behalf of hundreds of health care organizations with more than three quarters of a million surveyed population. It was developed by a former DHHS Inspector General with the assistance of two PhD experts. The survey design measures employee attitude and perceptions concerning the compliance environment; and has been tested and validated to provide reliable results. The huge database of users permits organizations to benchmark their results against that universe. The results provide invaluable metrics of program effectiveness and can establish a baseline from which future surveys can be used to benchmark improvement. The report provides insights into how effective the compliance program has been in changing and improving the compliance culture of an organization. Employing this tool is surprisingly inexpensive and costs only a small fraction of a full compliance program effectiveness evaluation or even gap analysis.  They are also less costly than developing and delivering a home grown survey that are not validated or tested for reliability. Reports from the Survey runs 30 to 50 pages and include tips for addressing any weaknesses; and benchmarks results against the huge universe of those who have used the same survey three ways: (a) overall results, (b) by category, and (c) individual questions.

 

For more information on a Compliance Culture Survey, contact Kash Chopra, JD (703-535-1413) or at  KChopra@strategicm.com .

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Why encourage anonymous hotline calls?

The are in your best interest

Encouraging anonymity with hotline callers may at first seem a bad practice, however, it is not.  It is a sound policy and in the best interest of the organization. However, many believe no calls should be accepted without an individual disclosing his or her identity. Those individuals are wrong. First, the HHS OIG, Sentencing Commission, DOJ, and Sarbanes-Oxley Act all promote anonymous reporting. The OIG in its compliance guidance state “At a minimum, comprehensive compliance programs should include…a hotline, to receive complaints, and the adoption of procedures to protect the anonymity of complainants and to protect whistleblowers from retaliation.  Failing to provide for and encourage anonymity undercuts the perceived effectiveness of the compliance program. There are other positive reasons for having anonymous reporting:

  1. Not allowing anonymity discourages reporting for fear of becoming a victim of retribution or retaliation. The result is that an individual may give information to someone else like an attorney, the media, government agencies, or simply not tell anyone which may lead to a growing exposure to liability to the organization. As a rule, the more serious the complaint or allegation, the less likely callers will be willing to identify themselves.
  2. The disclosure of an individual’s identity creates a burden for the organization to protect the caller’s identity (“confidentiality) once it is known. Failure to protect identified callers may result in unprotected reprisals or retaliation and serious consequences for the organization that may draw in attorneys, government, and regulatory agencies. There are many cases of litigation for reprisals or wrongful discharge where the company was put in the awkward position of trying to evidence the call did not contribute to the adverse action or termination. This is not a burden if the caller was anonymous.
  3. It is also useful to keep in mind that many callers may want to self-disclose their identity, in order to achieve a protection as a “Whistleblower” to forestall performance or conduct-based actions by trying to invoke the organization’s non-retribution/non-reprisal policy. For some, calling the hotline may be an attempt to block the adverse personnel action.

In some cases, it is desirable, and perhaps even necessary, to learn the identity of the caller in order to properly act on the information offered. There are circumstances where having the identity is essential to act upon a serious allegation. In such cases, callers can be encouraged to identify themselves, noting that their confidentiality will be protected. As such, it is important to also have a Confidentiality Policy, along with the Anonymity Policy.  Both such policies are called for in the OIG compliance guidance documents.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.