Fraud And Theft In Your Ophthalmology Practice

Fraud And Theft In Your Ophthalmology Practice

Identifying The Biggest Threats To Physicians (And What To Do About Them)

While it may not initially jump out as a high-risk field, medical practices represent a very lucrative target for criminals. In addition to dealing in a regular and high volume of payments, physicians are also sitting on a gold mine of personal information.

Two angles of attack are particularly common: theft by insiders at the practice, and remote attempts to hack into computer systems. This post will discuss the primary threats to physicians as well as the primary means of dissuading and counteracting them.


Embezzlement by employees is unfortunately rampant in medical practice. According to statistics collected by the Medical Group Management Association, roughly 80% of all practices can expect to experience embezzlement at some point in time. Career embezzlers are able to ply their trade and move from practice to practice as physicians tend to underreport these crimes. It’s also generally only detected after it has been going on for some time, when the embezzler gets a little too comfortable and overreaches or gets sloppy in their methods.

Embezzlement is usually committed by way of some form of forgery or misdirection, and thrives on physicians not paying close enough attention to paperwork and financial records. Embezzlers will slide a bogus check into a stack presented to the physician to sign, draw up fake receipts for patient payments, or even create extra paychecks for themselves. Of course, if cash is accepted at the practice, they have the option of simply pocketing it as well.

Small-scale embezzlement can be very difficult to detect, but highly disciplined thieves are relatively few and far between. They generally become more reckless (and therefore noticeable) over time. Often this is due to an addictive behavior they are compulsively engaging in. Employees that take an unusual interest in or level of control over financial work are also a risk factor. Embezzlers will often jealously guard their independent and unique access to bookkeeping responsibilities, or insist on taking financial work home with them.

Curbing embezzlement means not giving too much blind trust or individual financial responsibility to any one employee. Several different employees should have access and oversight to serve as checks and balances on one another. Physicians should also make time to review strange variances in things like collections and vendor payments.

Identity Theft

Physicians are forced to safeguard very private information about their clients. Unfortunately, this information is a treasure trove for identity thieves, and it needs to be safeguarded accordingly. Practices are not always as security-conscious as financial institutions like banks and investment firms are, however, which makes them a ripe target for criminals.

The old-school and direct method is simply a physical break-in, but these are increasingly rare as they aren’t really necessary anymore. Thieves have found much more fertile hunting ground online, where there’s significantly less risk to them. And as with embezzlement, theft from the inside by employees is also a serious issue in this area.

One simple fix that can greatly reduce identity theft is moving away from identifying patients from their full social security number, instead using their last four digits instead (where patient volume makes such a thing practical). The social security number is the crown jewel of identity theft and the primary thing a criminal is seeking.

Another issue with identity theft is when a criminal makes a fraudulent claim using a stolen identity. They will generally do this by stealing a physician’s medical identifier and using it to bill Medicare or Medicaid for services. This can go on behind a physician’s back for months or even years, with the first warning often being a letter from the IRS indicating that services were not properly recorded on tax filings. Regular reviews of billing procedures are critical in curtailing this threat, as is safeguarding prescription pads and training staff in the proper handling and security of medical identifiers.


There are two general angles of attack when it comes to cybercrime directed against a physician’s office. Either the criminal will be attempting to access patient information or medical identifiers, or they will be attempting to install “ransomware” on the system.

In either case, the most popular approach is to deliver malware to the physician’s network by email. This malicious code is usually passed either as an email file attachment, or in the form of a web link that leads to a site that then automatically forces the malware on the computer. In both cases, the criminal is usually attempting to trick the physician or one of their employees into downloading one of these bogus attachments or following one of these bad links. They may go to the extent of “spoofing” the email by applying a false return address to make it look like it comes from a trusted source.

If the criminal is after personal information, they’ll most likely attempt to install a keylogger. This invisible piece of software sits quietly in the background and records keystrokes, and may also periodically take snapshots or video of whatever is on the desktop. These items are then forwarded in the background to the hacker.

Ransomware is a much more overt attack. Once it gets onto a computer or network, it immediately sets about encrypting all sorts of vital files such as documents, images, audio and video. The criminal then makes contact with the physician, offering to give them the password that decrypts the files in return for a payment.

The first line of defense in protecting against malware is to train staff to recognize the signs of a suspicious email, even if it comes from a seemingly familiar source. Email clients should never be set to automatically open, display or download file attachments. If employees receive an unexpected and strange file attachment from someone they know, they should make contact by some other means to verify it actually came from them. And instead of following unexpected links in emails, they should manually look for the page in question through Google.

An effective last line of defense against ransomware is an automated backup program that takes “snapshots” of the full system or network periodically. Ideally, these snapshots are stored both in the cloud and on a local system for redundancy in case one platform is compromised. Watch for our next blog in the next couple of days – an entire blog specifically on Ransomware!

Advantage Administration, Inc. specializes in the enhancement of operational efficiency in medical settings, including (but not limited to) advising on security best practices. If you have any questions or are interested in learning more about our services, feel free to contact us.