Kusserow on Compliance: New FBI warning about scammers and the COVID-19 crisis

On March 20th, the FBI issued a new warning to the public about a rise in schemes related to the coronavirus (COVID-19) pandemic. The FBI warned to guard against opening documents and to research sources before clicking on links purporting to provide information on the virus; donating to a charity online or through social media; contributing to a crowdfunding campaign; purchasing products online; or giving up your personal information in order to receive money or other benefits. The FBI specifically warned to look out for fake CDC, NIH, HHS, and CMS emails. The agency noted to be particularly wary of websites and apps claiming to track COVID-19 cases worldwide and phishing emails asking to verify personal information in order to receive an economic stimulus check from the government. The fact is that government agencies are not sending unsolicited emails seeking private information in order to send money. The FBI also urges the public to be cautious of anyone selling products that claim to prevent, treat, diagnose, or cure COVID-19.  Other new scams involve seeking charitable contributions, financial relief airline carrier refunds, fake cures and vaccines, and fake testing kits. Failing to follow this advice can permit fraudsters to use links in emails to deliver malware to computers to steal personal information or to lock the computer and demand payment. With the current crisis, the FBI is concerned that many will lower their guard against scammers and, therefore, need to be reminded about these threats.

Tips for Compliance and Privacy Officers

  • Alert employees to beware of COVID-19 communications
  • Remind employees to not click on email links/attachment, or respond to inquiries
  • Regularly test users to make sure they are on guard
  • Configure email servers to block zip or other files that are likely to be malicious

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: DOJ moves against spine device manufacturer for paying kickbacks

The Department of Justice (DOJ) has intervened in a qui tam whistleblower case filed against SpineFrontier, Inc. and related entities and executives for alleging paying kickbacks to spine surgeons to induce use of their surgical devices. According to the complaint, spine surgeons were given over $8 million in sham “consulting” payments ostensibly for product evaluations, when in fact the payments were for use of SpineFrontier devices.

The defendants allegedly created Impartial Medical Experts LLC IME—a purported consulting company—as an entity intermediary to funnel kickbacks to spine surgeons. IME was designed to shield the defendants and spine surgeons from government scrutiny by creating a false impression that surgeons were consulting through an independent third-party entity. The Defendants generally paid “consulting” spine surgeons $500 for a cervical procedure, and $1,000 for a lumbar procedure—but only if the surgeon used SpineFrontier devices. The United States alleges that consulting spine surgeons often performed little or no work beyond implanting the devices—for which they were separately paid by insurers—and that the Defendants did not systematically collect or use feedback from consultants and paid them even when they had provided no feedback at all.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: FBI Reports on business email compromise scams

BEC Scams Accounted for 50% of cyber losses last year

The FBI once again reported on the increase in cyber-criminal activity related to ransomware and business email compromise (BEC) scams. During 2019, BEC accounted for almost a half million internet and cyber-crime complaints and caused losses of more than $3.5 billion. Approximately half of the reported loses were as result of BEC, sometime referred to as EAC (Email Account Compromise) crimes, which averaged $75,000 per incident reported. This was the most damaging and effective type of cyber-crime last year. The 23,775 BEC victims accounted for $1.77 billion in losses for victims, which was on average $75,000 per complaint.

These are sophisticated scams targeting business activities and individuals performing wire transfer payments. They normally come about as result of either a compromise or spoof an email account for a legitimate person/company. They use this email account to send fake invoices for business contractors. Sometimes they are sent to employees. They are designed to trick people into wiring money into the wrong bank accounts. An example of this relates to the diversion of payroll funds, wherein HR or payroll receives an email appearing to be from an employee requesting to update and change their direct deposit information for the current pay period, generally routing it to a pre-paid card account.

The most recent innovation has been scammers mimicking employee’s own CEO to steal funds from the payroll department. They hack into a company’s email server and identify which executives’ email addresses they can spoof to trick unsuspecting employees. The FBI also noted a decrease in the number of ransomware complaints, however a rise in the amount of losses per incident. Additionally, 764 health care providers reported being ransomware victims in 2019.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Documentary pillars supporting effective compliance programs

16 key documents described

Critical to an effective Compliance Program (CP) is reinforcing it with key documents that provide the supporting pillars. The following describes some of most important compliance program documents:

  1. Code of Conduct. This can be viewed as the Constitution for the organization and should be distributed to all covered persons.
  2. Charters for the Executive and Board Level Oversight Committees. These should establish oversight and support for the CP and define roles and responsibilities.
  3. Compliance Officer Charter/Position Description. It is important to formally describe the role of this position, responsibilities, reporting relationship to the CEO and Board, etc.
  4. Protocols Between the Compliance Office and Legal Counsel, HR, Internal Audit, etc. Many functions overlap or intersect with the Compliance Office. Working relationships need to be defined to avoid “turf issues.”
  5. Compliance Education and Training Policy. This should describe the development and implementation of regular, effective education and training programs for all affected parties, and describe general topics covered, frequency of training, and how you will document completion of the training.
  6. Hotline Charter/Policy. There needs to be a document that establishes a process to receive complaints and how they will be handled. It should describe how individuals can report concerns and ask questions or request guidance.
  7. Policies Addressing Ongoing Monitoring of High-Risk Areas. This is for program managers on their responsibilities to monitor their risk areas, develop and implement written guidance to their staff, training of the staff on how to comply and verify they are following the instructions properly.
  8. Policies Addressing Ongoing Auditing of High-Risk Area. These should address independent reviews of high-risk areas to verify and validate ongoing monitoring is operating the way it should and assist in the reduction of identified problem areas.
  9. Policies Governing Internal Investigations. Outline of the general steps that will be taken to investigate a report of possible problems; and documentation of results.
  10. Policies Addressing Non-Engagement of Sanctioned Individuals and Entities. This should state that there will be no engaging, contracting with, accepting referrals or prescriptions from those that are sanctioned, excluded or debarred from federal and state health care programs.
  11. Conflicts of Interest Policy. This should require all potential conflicts of interest be disclosed and provide a method for addressing them.
  12. Anonymity and Confidentiality Report Policies. Employees should be allowed to report potential wrongdoing anonymously and policy should protect the identity of those who request confidentiality.
  13. Non-Retaliation Policy. This should address protection against retaliation of those reporting potential wrongdoing.
  14. Document Policy Management and Retention. This should outline document retention and destruction requirements and should address electronically maintained documents.
  15. Credentialing and License Policy. This should address which individuals must maintain licensure and state that make clear no engagement or contract individuals and entities that are not properly licensed. It should define verification procedures.
  16. Disclosure of Overpayments and Violations of Law and Regulations Polices. Overpayments are common and sometime there is identification of wrongdoing. Strict rules should govern when and under what circumstances disclosures to outside parties is required.

These are only a starting point. All policies should be reviewed on an annual basis and updated as necessary. This includes eliminating policies that are no longer appropriate or relevant and writing new ones. All policies should be written in a template that permits you to document when a policy was last reviewed and when it was last changed.

For more information on this topic contact Marvin Mills (mmills@complianceresource.com) at the Compliance Resource Center that maintains over 1,000 compliance-related policy templates.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.