The dangers of trusting your employees too much

Preventing and addressing dishonesty in the workplace continues to challenge my physician practice clients. Recently, a client suffered an extreme example of how workplace dishonesty can cause harm. Her scary story is unfortunately familiar to many providers out there.

The situation began with a visit from a payer’s fraud department. The investigators reviewed patient charts with my client, the practice owner, and hinted at fraudulent billing and other improprieties. She could not understand the investigators’ claims and did not recognize the patient names at issue.

She began by looking for the patients’ names in the system. We immediately realized the charts were modified, deleted, or nonexistent. When the individual who handles IT for the practice was contacted for help—let’s call him Bart—he became nervous and uneasy. Bart was terminated immediately when it became clear he had played some role in the issue at hand. At the time, we could not fathom the extent of his role.

Bart exclusively handled the practice’s administration, provider billing, bill paying, check deposits, vendor contracts, payroll, and other key activities. Bart disappeared the day this happened and has not been seen or heard from since. There is evidence that he continued to access the practice’s servers to delete and modify records remotely even after his departure.

My client brought in an IT and forensic specialist to address the issues Bart created, as he was also the only one at the practice with passwords, system access, and any knowledge of the IT setup. We are still trying to locate missing records and determine the exact activities Bart engaged in.

After reviewing payroll records, it appeared that Bart established fake vendors that payroll funneled thousands of dollars to biweekly. My client had not detected the payments since all payroll and other financial activities had been left in Bart’s hands. We also determined Bart had obtained credit cards in the practice’s name and racked up bills for friends and family—all paid at the expense of the practice.

Since Bart handled all paperwork for the practice, my client did not question anything Bart asked her to sign. Bart was able to open bank accounts, take out loans, and otherwise use the practice’s credit, identity, and revenue. We have yet to fully determine the extent of his activities.

Because all the mail in the office also went through Bart, my client also found there were many unpaid bills, including those for malpractice insurance, general liability insurance, provider license renewals, and health insurance premiums. She has now spent thousands of dollars to rectify the situation and to protect her staff. Even worse, the very insurance my client might have turned to for coverage of Bart’s fraudulent activities lapsed.

Since Bart handled all the billing, it is still unclear how much of it was fraudulent. We do know that Bart reviewed the original payer audit request and responded without the practice’s knowledge, triggering the investigation.

I continue to assist my client in trying to address financial and legal issues. This should be a lesson to all practice owners take the proactive steps to protect themselves. At a minimum, they should:

  • Complete a background check on everyone who is hired. Bart had a criminal history, which could have been easily detected.
  • Never assign one employee complete oversight of any particular function within the practice. Make sure there is more than one person for every task and regular oversight and/or audit for any employee with significant financial, IT, or billing responsibilities.
  • Always have access to passwords, bank accounts, and be trained in other major practice responsibilities.
  • Conduct regular financial audits. This could mean reviewing the income and expenses with your accountant monthly or some other approach. The important thing is that business owners take responsibility for their business.
  • Look for red flags. In this case, Bart did not let anyone else touch his computer or handle billing. He got anyone who he did not “like” fired. He was the only one allowed to open mail, handle checks, or pay vendors. He always took his laptop home with him. Controlling conduct like this should be a red flag for practice owners.
  • Listen to complaints from other staff members and consult your lawyer or financial adviser if you have any concerns.

In this case, the police and FBI were informed of Bart’s activities, and the payer is helping the practice figure out what occurred. Hopefully, with the assistance of everyone involved, we can get this practice back on its feet.

There are many more steps that a practice can take to protect itself. I suggest talking with legal and financial advisers to make sure your practice has adequate safeguards in place. Let this client’s experience serve as a warning to physician practices everywhere.