- Details
- Category: Security News
In what's being dubbed as the largest healthcare fraud takedown to date, federal authorities have charged 301 individuals for $900 million in false Medicare and Medicaid billings.
See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations
Departments of Justice and of Health and Human Services officials announced June 22 an unprecedented nationwide sweep led by the Medicare Fraud Strike Force that resulted in criminal and civil charges being filed. Those charged include 61 physicians, nurses and other licensed medical professionals.
"As this takedown should make clear, healthcare fraud is not an abstract violation or benign offense; it is a serious crime," U.S. Attorney General Loretta Lynch says in a statement.
The latest fraud bust sends an important signal to all healthcare professionals. "The scope of the takedown is significant as well as the apparent focus on individual providers," says healthcare regulatory attorney Robert Homchick of the law firm Davis Wright Tremaine. "This government enforcement action appears to be attempting to hold individuals - not just corporations - accountable under the fraud and abuse laws."
Big Problem
While these arrests are important in the fight against Medicare fraud, the takedown represents only a dent in cracking the bigger, ongoing problems involving healthcare billing crimes.
"Medicare/Medicaid fraud has been a big issue for a long time, and while the government keeps going after it - and generally is pretty good at it - it never goes away," says healthcare attorney Kirk Nahra of the law firm Wiley Rein LLP.
"There is always lots to investigate and always tensions between paying claims and paying them quickly - where there is pressure to do so by government regulations and insurance regulation - while at the same time also doing a good job of policing fraud," Nahra says. "So, [there are] lots of challenges, with the 'bad guys' being able to act faster and more creatively on a general basis."
Fraud Conspiracies
Those arrested are charged with a variety of criminal and civil healthcare fraud-related crimes, including conspiracy to commit healthcare fraud, violations of the anti-kickback statutes, money laundering and aggravated identity theft. The charges are based on an assortment of alleged fraud schemes involving various medical treatments and services, including home healthcare, psychotherapy, physical and occupational therapy, durable medical equipment and prescription drugs.
Authorities charged more than 60 of the defendants with fraud related to the Medicare prescription drug benefit program, known as Part D, which is the fastest-growing component of the Medicare program overall.
Fraud Schemes Busted
Among individuals charged in the Medicare fraud takedown are:
115 individuals from Florida involved in a variety of fraud schemes, including more than $230 million in false billings for home healthcare, mental health services and prescription drugs; 35 individuals charged in Texas for alleged healthcare fraud totaling more than $193 million and involving schemes that include the submission of false billing for medically unnecessary home health services; 22 defendants in California charged for their roles in schemes to defraud Medicare of some $162 million for incidents that include medically unnecessary procedures; 19 individuals in Michigan charged for their alleged roles in fraud, kickback, money laundering and drug distribution schemes, which involved $114 million in false claims for services that were medically unnecessary or never rendered; Six people in Illinois charged in cases related to three different schemes, involving bribery and false and fraudulent claims for home health services and disability benefits; 10 individuals in New York charged in six different cases, including five individuals who were charged for their roles in a scheme that involved over $86 million in physical and occupational therapy claims to Medicare and Medicaid.In addition to the federal Strike Force, authorities said related enforcement actions also include cases brought by 26 U.S. Attorney's Offices, including the unsealing of search warrants in other investigations being conducted by North Carolina, Georgia, Texas, West Virginia, Louisiana, Minnesota, Alabama and Washington, D.C.
Lessons Learned
Some experts say there are also measures that healthcare entities and private insurers can take in the effort to fight healthcare fraud.
"Proven processes conducted by internal and external teams can occasionally catch a greedy fraudster," says Mark Dill, principal consultant at consulting firm tw-Security. "In a larger organization, fraud detection tools are often needed to automate otherwise labor-intensive processes," he says. "Leading tools in this space seem to have a good track record, across multiple sectors including healthcare."
However, an organization is not likely to detect fraud if they are not looking, he notes. "Organizations need to consider which material business/clinical processes are worth - from a financial perspective - monitoring and auditing, given their limited resources. Good processes and tools are important, but keep in mind, an alert workforce with a 'see something, say something' awareness level/culture can often detect as many anomalies as those established processes and tools."
Healthcare entities and private insurers can also potentially learn from the federal takedown, Dill adds.
"Fraudsters tend to repeat behavior patterns - physical and digital - that either match patterns that are known or they are new and are designed to evade common detection ... DOJ and HHS should incorporate their findings into their processes and tools to better prevent and detect this type of fraud in the future," he says. "As details become public, healthcare entities can incorporate these same tactics and tools into their own practices. If HHS is using commercial tools, the vendors may incorporate the detection patterns into their core toolsets so that all customers can benefit from this investigation."
Previous Busts
Federal authorities last year announced the arrest of 243 people on fraud charges totaling $712 million, a previous record for the Medicare Fraud Strike Force (see 243 Charged in Medicare Fraud Schemes).
Among other large Medicare busts was the May 2014 arrest of 90 individuals in six states who were allegedly tied to Medicare fraud schemes responsible for $260 million worth of false billings (see 90 Charged in Medicare Fraud Schemes). In October 2012, federal authorities announced a Medicare fraud crackdown that involved charges against 91 individuals in fraud schemes allegedly involving $492 million in false billing (see 91 Charged With Medicare Fraud).
Coordinated Probe
The Medicare Fraud Strike Force - a multi-agency team of federal, state and local investigators and prosecutors, which was launched in 2007 to combat Medicare fraud through the use of Medicare data analysis techniques - coordinated the investigation. The Strike Force, which operates in nine locations, has to date charged more than 2,900 individuals who collectively have falsely billed the Medicare program for over $8.9 billion, federal authorities said.
In addition to federal law enforcement's involvement, 23 state Medicaid Fraud Control Units also participated in the recent bust. Besides individuals being charged in the bust, HHS's Centers for Medicare and Medicaid Services says it is also suspending payment to a number of providers using its suspension authority provided in the Affordable Care Act.
- Details
- Category: Security News
Ransomware attacks are continuing to surge. For organizations that want to prepare themselves to survive such an attack - and all should be doing so - the way forward should be clear.
"The only effective solution for ransomware is backup ... and disaster recovery," says Mark James, an IT security specialist at security firm ESET.
Even with verified, offline backups to hand, and the ability to rapidly restore systems, organizations may still need to take affected PCs or servers offline for some period of time. But the alternative, James says, involves the ethically dubious - at best - prospect of paying ransom money to criminals and trusting that they will indeed then share decryption keys for crypto-locked systems (see Please Don't Pay Ransoms, FBI Urges).
Furthermore, there can be additional challenges. For example, some security firms may be trying to scuttle the exact same infrastructure that's meant to shake down ransomware victims. "Our job is ... to shut down the very servers that are going to distribute the malware, and in doing so, part of that might be shutting down these end servers, which you're looking at to try and get your decryption keys, or your means to decrypt the data and get back up and running again," James says.
In this interview with Information Security Media Group conducted at the Infosec Europe conference in London, James also details:
The difference between maintaining backups, versus running an effective backup and disaster recovery program; The need for global enterprise policies and rule sets to lock down unnecessary, outdated or disused applications and plug-ins on PCs; Why solving the ransomware problem will require more than just technology solutions.James is an IT security specialist for ESET UK. He has worked at the company since 1999 and prior to his role as security specialist, James was the technical team leader, managing the ESET help desk team that offers technical support to customers. He has been working in the IT industry for 25 years and has held many roles, covering such domains as network management, infrastructure systems design and integration.
- Details
- Category: Security News
In recent months, Cloud Access Security Broker solutions have emerged as a defacto, mandatory control. Which is a better approach to CASB - proxy or API? Rohit Gupta of Palerra shares his insight and recommendations.
Gupta founded Palerra in 2013 with a vision of enterprises embracing the cloud. And that's happened. But with cloud ubiquity has come a new reality, he says.
"Enterprises recognize that there is a security aspect that they've got to take care of," Gupta says. "They've got to understand that information is going into the cloud. They have to be careful about their users whose information is [in the cloud] ... and, really, the cloud represents this new attack vector that enterprises have to care about."
Hence, the rise of the CASB and the question over which approach is better to take - proxy vs. API.
In an interview about CASB strategies, Gupta discusses:
Merits and tradeoffs of each CASB approach; Why Palerra has embraced the API method; What security leaders need to be asking of their prospective CASB technology partners.Gupta founded Palerra in 2013 with the vision of ushering in a new paradigm in security and devops; one that would enable enterprises to confidently embrace and accelerate the move to the cloud.
He has spent his entire career in enterprise software. Most recently, he was Vice President and General Manager for the Remedy IT Service Management division at BMC Software, a product line producing over $500M in revenues. At BMC, Rohit helped build and grow their first two SaaS offerings including RemedyForce and RemedyOnDemand. Prior to BMC, Gupta was Vice President of Product Management for Identity and Access Management at Oracle Corporation, with responsibility for product strategy, marketing, business development and alliances. Under his leadership, Oracle rapidly grew their IAM market presence from a nascent player to market leadership with revenues over $300M, in the first five years since inception.
- Details
- Category: Security News
Should I stay or should I go?
See Also: Creating a User-Centric Authentication and Identity Platform for the Healthcare Industry
On June 23, British voters go to the polls to decide if Britain should exit - or "Brexit" - the European Union. In recent weeks, the "Leave" campaign - heavily centered on immigration-related fears - and the "Remain" campaign, which tends to highlight the political benefits of remaining a part of the EU, have been arguing their case.
If Britain exits the EU, much of the impact remains unknown, and remains subject to much debate. While Britain isn't one of the majority of the 28 EU member states that have standardized on the euro currency, the U.K. would no longer enjoy unfettered access to the EU's single market, and would have to renegotiate related treaties, not least surrounding data transfer, and there are no guarantees that the EU courts would uphold such deals.
In the event of a Brexit, here are five likely cybersecurity, privacy and cybercrime-related repercussions:
1. Data Protection Laws: Business Rationale
Even if Britain exits the EU, it will still likely abide by European data protection laws, London-based attorney Eduardo Ustaran, a partner in the global privacy and cybersecurity practice at law firm Hogan Lovells, says in a blog post. "Data protection law is not an arcane doctrine that exists alongside Napoleonic codes and is nurtured by Brussels' bureaucracy - it is a need for the digital age," he says. "Protecting people's data and defending our digital privacy in a way that enables the information economy to prosper is not just in the EU's interest, but in everybody's, including of course the U.K."
2. Full Compliance With GDPR
The EU's previous data protection rules, which came into effect in 1995 - and which were based on U.K. data protection laws from 10 years prior - allowed member states to comply with the related directive in different ways, Ustaran says. But the new General Data Protection Regulation - which comes into force in May 2018 - imposes very precise, non-negotiable requirements for handling EU residents' personal data, and any organization that does business in the EU must demonstrate that they're handling such data in a safe manner (see Mandatory Breach Notifications: Europe's Countdown Begins).
The U.K. Parliament could opt to not comply in full with the GDPR, but there's a strong business case to fully comply. "European data protection law is globally recognized as setting the highest standards of privacy and cybersecurity protection," Ustaran says. "Many countries around the world, from Canada to New Zealand and from Japan to Uruguay, have sought to match those standards to allow their own businesses to prosper under a solid data protection framework," as well as to allow them to say that they comply with EU rules, and may thus do business in those regions. Even non-EU members Norway and Switzerland, he adds, have passed laws that mirror the EU's data protection laws, to enable them to more easily do business with the EU.
3. Cybercrime-Related Challenges
If it's unlikely that U.K. data protection laws will lag behind the EU, the same can't be said when it comes to combating cybercrime. "A Brexit is very likely to lead to a significant reduction on cooperation in criminal and policing matters between the U.K. and the EU," Steve Peers, a professor of law at the University of Essex who specializes in European Union law and human rights law, says in a blog post.
For example, the U.K. works with Eurojust, the EU agency that handles cross-border judicial cooperation relating to criminal matters, as well as with the EU law enforcement intelligence agency Europol. In fact, Europol is led by British civil servant Rob Wainwright, who's Welsh, while its "EC3" European Cybercrime Center is lead by Steven Wilson, who's Scottish.
But in the event of a Brexit, the U.K. would lose full access to EU agencies, and could only participate as an associate, which "means a more limited involvement in each agency than they would have as EU Member States," Peers says.
4. Policing and Prosecution: Less Collaboration
A Brexit would make it more difficult for Britain to see foreign suspects get extradited to face charges in U.K. courts, and vice versa (see Brits Arrest Alleged Fed Reserve Hacker). "EU membership comes with a host of laws regarding police and criminal law cooperation," Peers says in a blog post. "Those laws have helped the U.K. get hold of far more fugitives for trial in the U.K., and also remove more criminals for trial abroad. The amount of data exchanged between police services on alleged terrorists or other criminals has increased too."
Britain could potentially negotiate related treaties with EU member states, but Peers say it's not clear that the EU Court of Justice would uphold those treaties, and if individual countries would go through the effort required to finalize them.
5. Cybercrime Policing: Intelligence Hit
Britain would have to match existing EU data protection laws to gain access to EU law enforcement intelligence, Peers says. "If the UK did not continue to sign up to EU data protection laws fully, there would be difficult legal disputes that could limit the transfer of policing data to the UK's law enforcement authorities from the EU," he says (see Europol Announces DD4BC Arrests).
But even if Britain fully complies with the GDPR, it wouldn't have access to the full panoply of EU law enforcement intelligence. "There would be legal complications if the U.K. sought to renegotiate access to police data exchange after Brexit," Peers says. "There's clear proof of this - even a non-EU country like the USA has faced repeated legal and political challenges trying to obtain such access in practice," he says (see 'Privacy Shield' to Replace Safe Harbor).
Post-Brexit Takeaway
The Brexit debate is much broader than just the cybersecurity and privacy-related components outlined above. But when it comes to cybercrime intelligence sharing, policing and prosecution in a potentially post-Brexit world, the related challenges facing Britain would be significant.
- Details
- Category: Security News
Authentication , Data Loss , Technology
LinkedIn, MySpace Hacker 'Urgently' Needs Money Market for Latest Mega Breaches is Disappearing Fast
Tessa88 has been seeking bitcoins for allegedly stolen data.The market for stolen data is like any other: The less fresh the goods are, the harder the sell. And that includes the data released last month in an unprecedented round of mega breaches including MySpace and LinkedIn (see 'Historical Mega Breaches' Continue: Tumblr Hacked).
See Also: 2016 State of Threat Intelligence Study
The data has circulated so widely among security researchers, companies and hackers that its value has fallen. Plus, companies that are affected are on close watch for suspicious login attempts.
And the alleged source of some of the breaches seems to be aggressively advertising the data to whomever might pay.
The LinkedIn and MySpace breaches, which were confirmed by both companies in May, came to light by someone going by the Jabber instant messaging handle "
My Chat with Tessa88
I've been trying to reach Tessa88 on Jabber for a while. It's believed that Tessa88 is a man living Russia. It's also suspected several people might be using the same instant messaging account, including a woman. For simplicity's sake, I'll refer to the person as male.
Earlier this week, Tessa88 popped online and sent me an unsolicited spammy message: "vk.com 130.000.000 - 1btc twitter.com 100.000.000 2btc." The message was sent unencrypted, a sign that Tessa88 isn't being too careful these days or perhaps just doesn't care much about his security. The message felt like it had been sent to everyone in his contacts list.
Both of the batches of data Tessa88 offered are questionable. Vkontakte, the Russian social networking service, never directly confirmed it was breached, but said the data contained inactive logins and that the service strengthened its security in 2012. The alleged Twitter breach turned out to be fake: While some of the credentials may have worked, the list was an amalgamation of stolen data from other sources. Twitter said its networks weren't compromised.
Those releases haven't helped Tessa88's reputation. Alex Holden, founder and chief information security officer for Hold Security, says Tessa88's approach of releasing real data to bolster his reputation, but then duping buyers with questionable data "may be the mark of a good salesman." But he may simply not have any more legitimate dumps.
"The fact that we've been out two or three weeks since the last breach revelation is making me think that his streak is coming to an end," Holden says.
I was eager to learn more about what was going on and asked Tessa88 if there were still buyers for the data.
Tessa88 had been trying to sell stolen data on underground forums since early March. But the more accessible place to find the data for sale was on TheRealDeal, an underground market that uses the Tor anonymity network. Someone nicknamed Peace offered several data sets. It's not clear why Peace and Tessa88 have been working together.
I asked Tessa88 why he needed the money. In an interview earlier this month, Peace told Wired he'd made more than $35,000 selling the LinkedIn, MySpace, Tumblr, Fling and MySpace data sets.
Tessa88 says he only has made 100 bitcoins, or about US$66,740, which he claimed to have given to a good cause. I asked him why it's suspected that several people, including possibly a woman, use the
'We'll Have a Long Talk ...'
All signs point to declining credibility for Tessa88. The mislabeled data breaches have been quickly unraveled. His spammy instant messaging blast may be a last-ditch attempt to extract whatever value is left from whatever data remains.
Troy Hunt, who runs the data breach notification service Have I Been Pwned?, says that Tessa88 claimed to have data belonging to Dropbox, but it turned out to be a mishmash of Tumblr data and some Twitter accounts.
"These guys rely on credibility in order to elicit money from buyers, and when that's eroded it will have to impact confidence in future sales," Hunt says.
I had many more questions for Tessa88, including why data from the legitimate breaches has bubbled up years later and how services that should have had strong security in place could have been breached in the first place.
Before he stopped chatting, Tessa88 said he could talk about how he "cheated" LeakedSource, the website he shared data with. His relationship with LeakedSource is also fuzzy. It's unclear why he provided the data to that website when he was trying to sell it elsewhere.
"We'll have a long talk," he promised before falling offline.
More Articles …
Page 3450 of 3546