WANAN YOSSINGKUM/istock via Gett

How BCBS MA Combats DME, Telemedicine Fraud Schemes

With just a snippet of personal information, scammers are roping in providers and tricking seniors into elaborate DME and telemedicine fraud schemes.

Equipped with fragments of personal information available on the internet or the dark web, scammers are increasingly targeting seniors in elaborate telemedicine fraud and durable medical equipment (DME) schemes, Blue Cross Blue Shield of Massachusetts (BCBS MA) told HealthITSecurity.

As a result of these schemes, patients have ended up with pain creams, back braces, and other prescriptions that make their conditions worse, not better. Meanwhile, providers get roped into writing prescriptions for patients they have never met, and payers must investigate an influx of suspicious claims.

“Over the years, I have talked to hundreds of our members that tell the same story,” Martin Flood, a senior investigator at the fraud investigation and prevention unit at BCBS MA, told HealthITSecurity.

“I’ve talked to hundreds of doctors who are misled into this business model. And our older population really feels the brunt of this.”

While these schemes are not new, the pandemic and an uptick in telemedicine use have widened the victim pool for bad actors. In July, the HHS Office of Inspector General (OIG) issued a fraud alert urging medical professionals to use caution “when entering into arrangements with purported telemedicine companies.”

“At best, there is no effect, but at worst, this could be really harmful,” said Jennifer Stewart, senior director for fraud investigation and prevention at BCBS MA.

Below, HealthITSecurity will dive into the details of a common telemedicine scheme and discuss how providers and payers can help their patients and themselves mitigate risk.

It All Begins With a Phone Call

A telemarketing company will cold call individuals, often seniors, after digging up some personal information via the internet or even by looking through records made available on the dark web from past data breaches.

“They target individuals who might have had issues with pain, a recent surgery, or a fall, and call them up and tell them that they qualify for a free product,” Stewart explained.

“They may or may not talk to a physician. This would not be their regular PCP or specialist that they've been dealing with for the issue. It would be somebody new to the conversation. A physician ends up writing up a prescription, which these telemarketing companies bundle and sell to DME companies and pharmacies. Then, they charge insurance companies very, very high prices.”

The scammers are savvy, Flood added, and may even have a patient’s Medicare or Medicaid ID, or some other identifying information that makes them seem legitimate. After conducting a half-hearted assessment, the scammers solicit real physicians to sign off on orders, which they can then bill to a patient’s insurer in hopes of a big payout.

“These callers are very talented at bending the truth,” Flood explained. “A lot of times patients think that the call was associated with a recent doctor’s office visit, and they give out their information.”

What’s more, the doctors who get involved in these schemes are often deceived by these companies just as the patients are.

“They could be coming right out of medical school, and they might have a lot of school debt. It seems like a good side gig to both help people get some experience and to get paid for prescriptions,” Flood noted.

“But they are not becoming the patient's doctor. They're not doing follow-up, they're not looking at their prior medical records, or they are not interacting with them at all. Once they put their name on something, they really don't know what these companies do with it.”

These scammers are successfully preying on patients for monetary gain, jeopardizing patient safety in the process. Providers and payers must play a key role in educating patients and preventing fraud.

What Can Providers Do?

“These companies have great pitches to bring doctors on board to do this: that you're helping people, that this is new telemedicine,” Stewart explained.

“But you really have to look at what they're doing and what you're providing individuals because sometimes these doctors never have any communication with these individuals, and that's not appropriate telemedicine. If they're already being treated by another doctor for this issue, that doctor needs to continue with their course of care, unless there's a really good reason to switch.”

After carefully evaluating the company’s processes and weighing them against telemedicine best practices, providers will likely realize that these companies are not providing quality care to patients.

In order to protect patients from becoming victims, providers should learn the telltale signs of this scheme and those like it. The Department of Justice (DOJ) has already provided numerous examples via large-scale healthcare fraud takedowns.

It is crucial that doctors maintain open lines of communication with their patients, especially those who may be more vulnerable to these schemes.

Stewart recommended that providers push the use of proprietary patient portals to maintain reliable communication, but also acknowledged that these portals may be difficult for elderly populations to use. At the very least, providers should encourage patients to call them if they are unsure whether a call they received was legitimate.

In addition, these incidents should be brought to the attention of payers, law enforcement, and Medicare, in order to prevent future incidents.

“There is a really big education piece that we all have to be involved in,” Stewart acknowledged.

The more providers, payers, and patients learn about the scheme, the less lucrative it will become for bad actors.

What Can Payers Do?

“Because we work as payers, we have to be prepared and have avenues for members to report to us,” Stewart stated.

“Not just through our fraud hotline, but also our member service line, and making sure that those calls get routed to the fraud department so that we can inform CMS and law enforcement as well.”

From the payer perspective, a telltale sign that a member has been scammed is when there is no doctor’s visit associated with the DME claim. The companies often do not bill for medical assessments, opting to file claims strictly for prescriptions or medical equipment. In addition, these claims tend to come in at a high cost.

“Once we start shutting these claims down and stop paying them, the entities disappear quickly and move on to another target,” Stewart noted.

“It is important to make sure that members are aware of these schemes, have a legitimate place to call, know that they can call at any time to check in, and understand what a proper doctor-patient relationship looks like.”

DOJ Takedowns Highlight Risks

“The federal takedowns demonstrate that there can be real civil and criminal liability with this,” Stewart emphasized.

In July 2022, the Department of Justice announced criminal charges against 36 defendants for alleged fraudulent telemedicine, cancer genetic testing, cardiovascular, and DME schemes that amounted to more than $1.2 billion in losses.

On the same day, CMS’ Center for Program Integrity (CPI) took additional administrative actions against 52 providers involved in similar activities, showing the impact that these schemes can have on providers themselves.

The DOJ discussed one case in great detail:

"One particular case charged involved the operator of several clinical laboratories, who was charged in connection with a scheme to pay over $16 million in kickbacks to marketers who, in turn, paid kickbacks to telemedicine companies and call centers in exchange for doctors’ orders. As alleged in court documents, orders for cardiovascular and cancer genetic testing were used by the defendant and others to submit over $174 million in false and fraudulent claims to Medicare—but the results of the testing were not used in treatment of patients. The defendant allegedly laundered the proceeds of the fraudulent scheme through a complex network of bank accounts and entities, including to purchase luxury vehicles, a yacht, and real estate. The indictment seeks forfeiture of over $7 million in United States currency, three properties, the yacht, and a Tesla and other vehicles."

In 2019, an investigation by the Federal Bureau of Investigation (FBI) and the HHS Office of Inspector General (HHS-OIG) resulted in the DOJ charging 24 defendants, the CEOs and COOs of five telemedicine companies, and the owners of DME companies, for their participation in a large-scale fraud scheme.

The DOJ said that hundreds of elderly and disabled patients were lured into the scheme.

“The defendants allegedly paid doctors to prescribe DME either without any patient interaction or with only a brief telephonic conversation with patients they had never met or seen,” the DOJ stated. 

“The proceeds of the fraudulent scheme were allegedly laundered through international shell corporations and used to purchase exotic automobiles, yachts and luxury real estate in the United States and abroad,”

The DOJ’s actions in recent years show that the federal government is not taking these schemes lightly. Even so, the perfect storm created by COVID-19 and an uptick in telemedicine use has exacerbated the problem.

The Importance of Securing PHI

“An incredible amount of this information is traded on the dark web that could come through breaches or people inadvertently handing their information over to a bad actor,” Stewart continued.

“We have to jointly think about how we create some checks and balances in a very anonymous, electronic, worldwide web system, where it is so easy to impersonate people and to buy an incredible amount of information.”

As healthcare data breaches continue to skyrocket, the security and privacy of protected health information (PHI) remain uncertain at best.

To Stewart and Flood, combatting this issue comes down to a payer and provider commitment to diligence and education. Payers and providers must communicate to patients that their medical information can be as sensitive as their credit card and Social Security numbers — and just because someone on the phone knows some information about you, doesn’t mean they have your best interests at heart.

PHI security should already be a priority for HIPAA-covered entities. It is crucial that healthcare organizations employ strict security measures and secure all endpoints to protect their patients’ information from bad actors. While it is impossible to eliminate risk altogether, defensive measures and employee education can go a long way in preventing otherwise avoidable data breaches.

“We all, both payers and providers, have a role to play in the education piece and in just being there. Whether it's our member or our patient, we have to monitor these claims, monitor what they're doing, and ask a couple of follow-up questions,” Stewart advised.

“If a provider hears a patient start talking about some DME that showed up or some pain cream, take action. Make sure they stop using it, make sure they report it to the payer, or to CMS, or some other federal authority so that we can all jump on it and try to shut the scheme down as quickly as possible.”

Next Steps

Dig Deeper on Health data access & privacy