Insider Medicaid Fraud Case: 'An Important Reminder'Insider Threat a 'Consistent Problem,' a Legal Expert Says
A former worker at a substance abuse treatment provider in Connecticut has been sentenced to serve seven months in prison and pay more than $1.3 million in restitution for her part in an identity theft and Medicaid fraud conspiracy case involving stolen patient data.
"This is an important reminder about the threats from insiders," says privacy attorney Kirk Nahra of the law firm WilmerHale.
"While presumably this involves a low percentage of insiders, we also know that this is a consistent problem and a risk across all kinds of healthcare providers - and of course the insider risk is not limited to healthcare providers."
Nikkita Chesney of Bridgeport, Conn., was sentenced July 12 after pleading guilty last October to two counts of healthcare fraud and aggravated identity theft for her part of a Medicaid conspiracy case, according to the U.S. Department of Justice.
Chesney was employed by an unnamed Connecticut healthcare provider that provided substance abuse treatment, including a residential detoxification program located in Bridgeport, prosecutors say. She stole patient information at the request of Toshirea Jackson, who, with Juliet Jacob operated two Bridgeport businesses: Transitional Development and Training, or TDAT, and It Takes A Promise, or ITAP, which provided social and psychotherapy services, the Justice Department alleges.
Chesney stole information about Medicaid patients who were clients of her employer, prosecutors say. That included Medicaid identification numbers, Social Security numbers and dates of birth.
"Chesney, Jackson and Jacob then used the stolen identity information to bill Medicaid for psychotherapy services purportedly provided by TDAT and ITAP, when the Medicaid clients had never received any such services from TDAT and ITAP," the Justice Department says.
Chesney admitted that she stole the identity information of more than 150 Medicaid clients and that she and her co-conspirators successfully billed Medicaid for approximately half of those clients, prosecutors say. "Chesney further admitted that she and her co-conspirators also billed Medicaid for services to other clients that were never provided to those clients."
Chesney, who was released on a $25,000 bond, is required to report to prison on Sept. 20.
Earlier, Jackson and Jacob each pleaded guilty to one count of healthcare fraud for their roles in the scheme, as well as for a separate Medicaid fraud scheme, the Justice Department says. In May, Jackson, who was an employee of the Connecticut Department of Mental Health and Addiction Services, was sentenced to 24 months in prison and ordered to pay restitution of nearly $2.5 million. Jacob awaits sentencing.
"This type of insider fraud can happen to any healthcare provider organization, even small organizations where employees are personally known and trusted."
—Kate Borten, The Marblehead Group
Five other individuals have been charged and convicted of healthcare fraud offenses as a result of this and related investigations, the Justice Department says.
The Insider Threat
Kate Borten, president of privacy and security consulting firm The Marblehead Group says the case highlights the vulnerability of many types healthcare organizations to crimes involving insiders.
"This type of insider fraud can happen to any healthcare provider organization, even small organizations where employees are personally known and trusted," Borten says. "Fraudulent billing to government agencies, Medicaid and Medicare, may be the most common.
Many organizations fail to provide supplemental privacy and security training for supervisors and managers to help make them aware of the risk of personnel misuse of PHI and other confidential information, she notes. "Awareness and prevention should be explicit manager responsibilities, and managers should be held accountable if they fail to reasonably prevent or stop such misuse of information by staff," Borten says.
Companies need to monitor employee activity and develop appropriate safeguards to address suspicious and potentially criminal behavior, Nahra, the attorney stresses. "While this kind of problem could impact any healthcare provider, there may be particular risks involving vulnerable populations," he says.
"Companies need to evaluate both front-end controls to restrict access in general, and then also implement appropriate monitoring approaches particularly where broad access may be needed to conduct normal business activities."
Stealing Patient Data
Court documents in the Chesney Medicaid fraud and ID theft case note that in early 2012, once Chesney agreed to help Jackson in the fraud scheme, Chesney "compiled and formatted the stolen [patient] identity information into typed tables that identified each of the Medicaid clients by Medicaid client identification number, date of birth and Social Security number."
Prosecutors said that Chesney emailed this information to Jacob and Jackson, and Jacob trained Chesney in how to submit fraudulent claims to Medicaid using TDAT's and ITAP's Medicaid provider numbers.
"Using the stolen identification information, Chesney [and the co-conspirators] submitted and caused to be submitted to Medicaid claims for psychotherapy and other services purportedly provided by TDAT and ITAP to the Medicaid clients whose identities had been stolen, when in fact the clients had not received any such services at TDAT or ITAP."
Around December 2012, in order to reduce the work of compiling the tables of stolen identity information, Chesney began using her cell phone to covertly take photographs of documents from her place of employment that contained the dates of birth and Social Security numbers of Medicaid clients, and then sent these photographs via attachments to text messages to Jacob, according to court documents.
Chesney and her co-conspirators then used that stolen identity information to bill Medicaid through TDAT and ITAP for psychotherapy services and other services that had not been provided to the Medicaid clients, prosecutors say.
In addition to this case, Chesney also faces state charges from another fraud scheme she allegedly engaged in while employed by a state contractor that provided services to individuals who were transitioning to the community following completion of substance abuse treatment, prosecutors say.
In 2017, Chesney and others allegedly submitted fraudulent claims for childcare services to a state program, according to the prosecutors. Chesney's role in the scheme involved 20 fraudulent claims that resulted in a loss of more than $35,000 to the state program, the Justice Department says.