EHR cut-and-paste problem is only one of the several mechanisms to clone documentation - and facilitate fraud

In my Dec. 10, 2013 post "44% of hospitals reported to HHS that they can delete the contents of their EHR audit logs whenever they'd like" (http://hcrenewal.blogspot.com/2013/12/44-of-hospitals-reported-to-oig-that.html) I observed that the "money quote" of the Modern Healthcare article that prompted the post, "Feds eye crackdown on cut-and-paste EHR fraud" by Joe Carlson was not the issue of EHR cut-and-paste features and billing fraud, but EHRs and audit trail alteration.

Dr. Stephen R. Levinson, an E/M compliance and healthcare quality expert among other areas of expertise (see http://www.linkedin.com/in/stephenlevinson), wrote me with the following regarding the issue I glossed over in favor of the audit trail concerns, namely, EHR cloning.

Reproduced with Dr. Levinson's permission:

This long-recognized and high-profile problem [EHR cut and paste, copy forward, etc. - ed.] covers only one of the several mechanisms EHRs provide to create CLONED Documentation.

Other non-compliant short-cuts include documentation by exception (auto-entry of extensive negative history reviews and normal comprehensive examinations), use of restricted pick list words and phrases, and "translation."

Translation is my own terminology for taking actively entered "yes" or "no" responses in medical history (and "normal" or "abnormal" findings in physical exam) and using pre-loaded software to convert (i.e., translate) the response to a long pseudo dictation paragraph. For example, check a box for lungs being "normal" may automatically appear in a paragraph as "lungs clear to percussion and auscultation; respiratory effort is normal on inspiration and expiration with normal excursions of the diaphragm; there are no rales or rhonchi, and no wheezes are present."

This extended statement will appear identically in patient after patient and visit after visit, regardless of whether this level exam was performed. Further, the likelihood of every patient having completely normal lungs is non-existent.  [This is one mechanism by which reams of "legible gibberish" are produced even with modest hospital stays, e.g., see my Feb. 27, 2011 post "Two Weeks, Two Reams" at http://hcrenewal.blogspot.com/2011/02/electronic-medical-records-two-weeks.html - ed.]

Finally, although cloned documentation is egregious, there are four other equally egregious non-compliant documentation and coding features, common to most EHRs, that are being totally ignored by OIG. These 4 features are:

1) non-compliant coding engines (including failure to consider medical necessity of the level of care)

2) Replacing narrative documentation of differential diagnoses with billing codes (ICD-9) and billing semantics

3) Failure to document the qualitative components of E/M coding, while addressing only quantitative components (e.g., when patient has a positive response to review of systems question on chest pain, compliance (and quality care) requires further investigation and documentation of further details; most current systems either lack ability to document these details or fail to guide and require physicians to document them)

4) Failure to incorporate consideration of "medical necessity" (indicated in E/M coding as the "nature of the presenting problems") into care, documentation, and coding

As evidenced by these explanations, common commercial EHRs in use today were either designed by amateurs or by crooks, with the gatekeepers turning a blind eye towards abuses since at least 2007 (per commenter and EHR compliance expert Dr. Reed Gelzer who, at http://hcrenewal.blogspot.com/2013/12/44-of-hospitals-reported-to-oig-that.html, indicated ONC and OIG knew of these issues since a 2007 report he contributed to).

The gatekeepers have turned a blind eye, that is, until now when they've finally opened one eye very slightly, like a ten-day-old puppy, as the abuses become more widely known.

Young puppy begins to open its eyes.

-- SS

44% of hospitals reported to HHS that they can delete the contents of their EHR audit logs whenever they'd like?

Modern Healthcare published an article "Feds eye crackdown on cut-and-paste EHR fraud" on Dec. 10, 2013 by Joe Carlson.

The article is about federal efforts to reduce the amount of clinician cut-and-paste from prior notes of a patient - which can even be done between charts of different patients.  This practice can result in overbilling for work not actually performed.  The practice can also result in no-longer-accurate data being carried forward; I have been consultant to cases where that phenomenon, in my opinion, contributed to grave patient injury in cases that have settled out of court.

It is at this link:  http://www.modernhealthcare.com/article/20131210/NEWS/312109965/feds-eye-crackdown-on-cut-and-paste-ehr-fraud?utm_source=articlelink&utm_medium=website&utm_campaign=TodaysHeadlines#

Subscription required, but googling the article title may allow reading it in its entirety.

The article begins:

Federal officials say the cut-and-paste features common to electronic health records invite fraudulent use of duplicated clinical notes and that there is a need to clamp down on the emerging threat. That concern is enhanced by the fact that it's too easy to turn off features of EHR systems that allow tracking of sloppy or fraudulent records.

In an audit report released Tuesday morning (PDF), [HHS Office of Inspector General, "NOT ALL RECOMMENDED FRAUD SAFEGUARDS HAVE BEEN IMPLEMENTED IN HOSPITAL EHR TECHNOLOGY"], HHS agencies confirmed that they are developing comprehensive plans to deter fraud and abuse involving EHRs, including guidelines for cut-and-paste features. The issue arises at a time when critics say federally subsidized digital patient record systems are sometimes being used inappropriately by providers to drive up reimbursement.

“Certain EHR documentation features, if poorly designed or used inappropriately, can result in poor data quality or fraud,” according a report from HHS' Office of the Inspector General.

None of this is a surprise to me, and to readers of this blog.

However, the real "money quote" in the article, I believe, is this:

"In addition, only 44% of hospitals' “audit log” systems could record whether cut-and-paste was used to enter data, and an identical percentage of hospitals reported [to OIG] that they can delete the contents of their internal audit logs whenever they'd like."

From page 11 of the HHS OIG Report linked above (http://www.modernhealthcare.com/assets/pdf/CH92135129.PDF):

[In 2006, ONC contracted with RTI International (RTI) to develop recommendations to enhance data protection; increase data validity, accuracy, and integrity; and strengthen fraud protection in EHR technology.]

... Hospitals' control over audit logs may be at odds with their RTI- recommended use as fraud safeguards:

RTI recommends that EHR users not be allowed to delete the contents of their audit log so that data are always available for fraud detection, yet nearly half of hospitals (44 percent) reported that they can delete their audit logs. Although these hospitals reported that they limit the ability to delete the audit log to certain EHR users, such as system administrators, one EHR vendor noted that any software programmer could delete the audit log.

RTI recommends that the ability to disable the audit log be limited to certain individuals, such as system administrators, and that EHR users, such as doctors and nurses, be prevented from editing the contents of the audit log because these actions can compromise the audit log's effectiveness. Hospitals reported they have the ability to disable (33 percent) and edit (11 percent) their audit logs, although they reported restricting those abilities to certain EHR users, such as system administrators or EHR vendors. All four EHR vendors we spoke with reported that the audit logs cannot be disabled in their products, but one vendor again noted that a programmer could disable the audit log.

I further note that, being voluntarily provided, i.e., not part of a formal investigation of any specific organization, those numbers are likely low, perhaps very low considering this issue.

An audit log or audit trail is an automatically-generated dataset, invisible to most users, containing items such as who viewed records, the date/time/location of viewing, and indication of actions they may have performed on the records such as editing/changes/additions/deletions, etc.

As an EHR itself is a collection of magnetized or optically encoded bits on some computer storage medium, it cannot be authenticated as complete and free from alteration by humans.

The audit trail is the only way to authenticate an EHR printout, however (as well as EHR screenshots or any other electronic data turned into a tangible form from those bits) as complete and free from alteration.

If an EHR printout cannot be authenticated as complete and free from alteration, its trustworthiness and perhaps even court admissibility as a business record under an exception to the hearsay rules regarding evidence may be damaged or invalidated.

My concern is that, if true, and considering the conflict of interest a hospital has regarding hiding potential fraud or malpractice that could cost them millions of dollars, a capability to "delete the contents of their internal audit logs whenever they'd like" and to edit audit trails (which based on the capabilities of relational databases also implies an ability to delete sections of audit logs selectively and/or to substitute false data) is simply alarming.

I don't think the EHR pioneers intended EHRs to be used for purposes of allowing evidence spoliation without traceability ...

-- SS

Dec. 13, 2013 Addendum:

I received the following reply from EHR compliance expert Dr. Reed D. Gelzer.  Re-posted with permission:

Good morning Dr Silverstein,

Thank you yet again for the illumination that you bring to matters of truth in Healthcare Information Technology.

Regarding the OIG report’s source document, the 2007 report to the ONC, I was the Fraud Prevention Workgroup Chair for that project, working under Principal Investigators Dr. Don Simborg and Susan Hanson, former Chair of AHIMA. 

For anyone who is interested in this subject matter, I would recommend that you go to the source document and, among other things, review the list of contributors.  These were all individuals who volunteered time to attempt to mitigate harms of defective HIT, in their capacities of records management systems, nearly 8 years ago now.   Many have gone on into leadership roles in related organizations and domains, some still working towards trustworthy health information technology systems.

I believe that I can say that none of those working on the report then would have believed that it was conceivable that even our most basic recommendations regarding the fitness of audit functions would remain "novel" in the industry in 2013.  One cannot be surprised at the low level of authenticity supports in hospitals’ EHRs systems given that fitness as record management systems for patient care has, to date, been either neglected or presumed, not tested or attested.   I am gratified that our 2007 work was utilized for the OIG report to illuminate the deplorable state of integrity supports in these patient care information systems.  This will undoubtedly spur interest in supportive resources such as the HL7 EHR System Functional Model Standard and the HL7 Records Management and Evidentiary Support Profile Standard.

All of us who worked on that ONC report are, I hope, as gratified as I am that the OIG removed our work product from its designated obscurity.   We developed the guidelines via methods that were more qualitative than quantitative, entirely intended to guide initial implementation backed by more methodical research.   We represented the most informed at that time, including those like myself and my ADIC associate Patricia Trites who had performed compliance testing on over 30 among the leading EHRs at the time and found extraordinary ranges of deficiencies, including audit functions that could be disabled at will.   Standards and tools existed then to support mitigation of risks and those Standards and tools have expanded since.  Now that the events and ONC decisions that led to inactions on the report are now in the past, we can more rapidly achieve the potentials nascent in HIT by rendering it more trustworthy, usable, and safe.

Thank you again for your ongoing vigilance.

Sincerely,

Reed D. Gelzer, MD, MPH, CHCC
Trustworthy EHR, LLC
Co-Facilitator, HL7 Records Management and Evidentiary Support Workgroup

To this I add that I also would not have found it conceivable that my concerns about bad health IT and the risks of patient harm it poses, as well as common healthcare IT project mismanagement, of which I started writing about in 1998 (http://cci.drexel.edu/faculty/ssilverstein/cases/) would remain "novel" ideas in the industry in 2013.

The Obamacare healthcare exchange website debacle has made the latter issue mainstream.  The former issues still need more sunlight.

-- SS

What Me Worry? - American Legacy Foundation Executives' Relaxed Response to a $3 Million Plus Fraud

A Washington Post investigation into diversion of money from US not-for-profit organizations provided a striking case study showing the apparently relaxed approach taken by managers to apparent wrongdoing by one of their own. 

Background: the American Legacy Foundation

The Post noted that

The American Legacy Foundation is a revealing case study. While some challenges it faced were uncommon, fraud examiners said many resemble those they see time and again. Legacy was founded as a nonprofit organization in 1999 out of the Master Settlement Agreement that resolved health claims brought against cigarette companies on behalf of the public by authorities in 46 states and the District.

With $50 million in annual expenditures and $1 billion in assets, Legacy is perhaps best known for its edgy anti-tobacco advertising campaign known as 'Truth.'

The Foundation's governance is provided by some top government leaders, including leaders of law enforcement.

Its board includes Idaho Attorney General Lawrence Wasden (R), its chairman; Missourci Gov. Jay Nixon (D), Utah Gov Gary R Herbert (R), and Iowa Attorney General Tom Miller (D).  Janet Napolitano, the recently departed U.S. secretary of homeland security, served on the board, and Sen Thomas R. Carper (D-Del) was Legacy’s founding vice chairman.

Outline of a Diversion

The alleged culprit at the ALC  was

Deen Sanwoola, ... a charismatic computer specialist who was Legacy’s sixth hire. He was tasked with building the organization’s information technology department.

No one realized, during Legacy’s frenetic early days, that the department had been formed without adequate financial controls, Legacy officials said. Or that Sanwoola had been placed in charge of both ordering electronic equipment and logging it as having been received — a mix of responsibilities that an outside auditor later described as a classic error that placed Legacy at risk.

So,

After Sanwoola’s arrival in October 1999, Legacy’s IT department began spending freely on computers, monitors and software, much of it purchased from a single company in suburban Maryland, [Legacy President and CEO Cheryl] Healton said.

Thanks to the court settlement, Legacy enjoyed a tremendous flow of cash, with revenue exceeding $320 million. The first questionable purchase came in December 1999, according to a forensic audit conducted years later. 'The fraudulent billing started almost immediately on his arrival,' said [Idaho Attorney General Lawrence] Wasden, the board chairman.

In that first transaction, the foundation paid more than $18,000 for a computer processor and related equipment that auditors concluded should have retailed for less than $7,000.

Data, documents and a summary of findings that Wasden provided to The Post show that questionable purchases of printers, software and servers steadily increased in size and frequency, peaking with 49 charges in 2006. In some instances, Legacy appeared to have paid many times an item’s worth, auditors said. In others, auditors said Legacy paid an inflated price for 'phantom purchases' of equipment that apparently never arrived.

Over years, Sanwoola is thought to have generated as many as 255 invoices for computer equipment sold to the foundation, Legacy officials said; 75 percent of them later were deemed by the foundation to have been fraudulent. 

A Relaxed Response

Sanwoola left AFC in 2007,

In early 2007, Sanwoola, by then an assistant vice president with a $180,000 compensation package, announced he was leaving. It jolted [AFC President and CEO Cheryl] Healton, who said she 'begged' him to stay. [ALC CFO Anthony T[ O’Toole recalled Sanwoola saying that his wife wanted to raise their children in Nigeria and that the move would allow him to help his ailing mother.

But then,

six months later, when an executive at Legacy approached O’Toole and told him he was unable to locate computer equipment listed in the inventory.  O’Toole said he waved away the complaint without bothering to investigate.

'He just pooh-poohed it,' Healton said of O’Toole, who received current and deferred compensation totaling $568,000 in fiscal 2012.

The Post previously noted that

Sanwoola developed close personal ties to Legacy’s chief financial officer, Anthony T. O’Toole.

'Everybody loved Deen,' O’Toole acknowledged.

After a second complaint, managers took a bit more notice,

Three years later, the same employee — Legacy officials describe him as a whistleblower — again raised an alarm. This time, he bypassed O’Toole and took his concerns to a staffer close to Healton.

The response this time was different. Within days, Legacy hired forensic examiners to investigate and Healton notified the board.

One of the outside auditors’ first reactions, Healton recalled, was, 'There’s no way an organization like yours could spend this much on IT.'

Auditors interviewed employees, reviewed invoices and recovered deleted files from a backup computer server in Chicago. Auditors found a template for invoices from the outside supply company, Legacy officials said, as well as computer code that showed the template had been designed and generated by someone using Sanwoola’s log-in.

Officials concluded that of $4.5 million in checks and credit card charges associated with the Maryland IT supply company, $3.4 million had been fraudulent.

 In late 2010 or early 2011,

foundation executives asked Miller, the Iowa attorney general on Legacy’s board, to call the office of the U.S. attorney.

However, despite the fact that it was ALC money that had been lost, ACL managers thereafter seemed to take little interest in the case,

Legacy officials said they had made no attempt to contact Sanwoola, based on a request from federal prosecutors. In a statement for this article, the U.S. Attorney’s Office responded that they had made no such request.

They also were in no hurry to disclose the foundation's loss,

Word that millions of dollars were thought to be missing remained largely within Legacy until it came time in 2011 to file its annual disclosure, a public document signed under penalty of perjury.

The disclosure said that the 'fraud' of more than $250,000 did not 'meet other materiality tests for financial reporting' and that the organization had told its board and law enforcement. It also said Legacy had filed an insurance claim that had been 'successfully settled.' The document did not reveal that the settlement fell far short of the loss.

When first approached by The Post, Legacy general counsel Ellen Vargyas said the organization had no obligation to identify the full estimate of the loss and stressed that more information was in the foundation’s 2012 filing. That filing included a reference to $1.3 million in miscellaneous revenue from an insurance settlement, without saying what it was for.

'I do think it was a full and appropriate disclosure,' Vargyas said.

Legal specialists consulted by The Post disagreed. 'Those suffering a diversion are obligated to report the dollar amount,' said Gary R. Snyder, a charity consultant who tracks fraud.

Federal filing instructions direct nonprofits to 'explain the nature of the diversion, amounts or property involved . . . and pertinent circumstances.' Charity specialists said there is no established penalty for a nonprofit that fails to follow the instructions.

A day after declining to disclose the amount to The Post, Vargyas reconsidered. 'Our best estimate of the full loss comes to this: $3,391,648,' she wrote in an e-mail. She said her initial reluctance to disclose an amount was because Legacy’s number was based on estimates that had 'never been tested in a court of law.

Wasden added that the absence of a total dollar figure in its public filing was the foundation’s way of being restrained in describing its loss, in deference to the then-continuing federal investigation. The U.S. Attorney’s Office stressed, however, that it did not suggest that Legacy play down the size of the loss in its disclosure.

Legacy officials said they were told in March, for the first time, that there would be no charges. The U.S. Attorney’s Office disputed that, saying the FBI informed Legacy in February 2012 that the investigation had been closed because, despite warnings, Legacy had taken more than three years to report the missing computers and lacked reliable records of what it owned.

It appears that there will be no further action in this case.  The statute of limitations has passed for any further criminal or civil actions, according to the Post.  And Mr Sanwoola seems to be comfortably ensconced in Lagos, Nigeria.

 Summary

The American Legacy Foundation case showed that a "charismatic" management insider (who finished his career as an assistant vice president with a $180,000 compensation package according to the Post), who had "close personal ties" with the organization's CFO (who "received current and deferred compensation totaling $568,000 in fiscal 2012" according to the Post), was apparently able to embezzle something like $3.4 million dollars, then walk away.  Initial whistleblowing was ignored by the CFO (who received compensation of $729,000 in 2012 according to the Post), apparently delaying any action for three years.  A second complaint to the CEO provoked a response, but not exactly an urgent one.  While law enforcement was notified, there is no evidence that any foundation managers followed up on it, nor did they see fit to disclose much detail about the loss on their watch.  As a result, no one seems to have been held responsible, and only some money was recovered, but from insurance.

Now we understand why these managers made the relatively big bucks.

By the way, the Post article included a link to a database of other diversions of money from non-profit organizations, including many prominent health care organizations (e.g., Memorial Sloan-Kettering Cancer Center, Children's Hospital of Pennsylvania, NYU Hospitals Center, Shands Jacksonville Medical Center, Harvard Medical School Faculty Physicians at Beth Israel Deaconess Hospital, and the Society for Academic Emergency Medicine).  Whether the circumstances of the diversions they suffered were anything like those affecting the ALC is unknown pending further investigation of their disclosures.

Again, the top executives of a non-profit organization are supposed to put the organization's mission ahead of personal gain. Yet in this case, executives seemed more interested in keeping quiet about an apparent fraud by one of their own than in recovering the money or holding anyone accountable.

This is yet another instance of top leaders in health care seeming to be more loyal to "managers' guild" than their own organizations, their organizations' mission, or patients' and the public's health in general.   A while ago, chief architect of "managed competition," (and former architect of body counts during the Vietnam War, look here) Alain Enthoven admitted, but only to a European audience, that he wanted to end the influence of the "physicians' guild," which he blamed for rising health care costs, and turn health care over to managers (look here).  That "managers' coup d'etat" seems to have been accomplished.  The result, however, is that health care is now lead by people who seem sworn only to promote their own interests, while hiring public relations and marketing folks to make it appear otherwise.

While many people debate health care reform in terms of the details of health insurance, true health care reform would restore control of health care to people held accountable for putting patients' and the public's health ahead of their personal enrichment.  

Daily Blog #130: Detecting Fraud Sunday Funday 10/27/13 Part 3 - SetMace

Hello Reader,
            Yesterday we reviewed the timestomp tool and showed how simple MFT analysis can defeat it. Today we are going to go into the newest version of setmace v1006 which not only can modify the STDINFO timestamps but the FILENAME timestamps as well. I'm not sure how widely known setmace is but I will tell you that its very good at what it does as we'll see in the screenshots below. Prior versions of setmace did some tricks with file moving to reset the FILENAME timestamps but in version v1006 it actually modifies the physical disk itself leaving very few traces of its actions. Setmace will work on NTFS and FAT file systems.

Things to understand

What it does
Setmace will access the underlying physical disk and modify the $MFT directly changing the timestamps you specify (STDINFO or FILENAME or both) or cloning them from another file. Since this is direct physical disk access there are no $logfile or USN entries that show these changes.

What it does not do
It does not change the MFT record number, sequence number or find other artifacts pointing to it. That does not mean that future versions couldn't be modified to further obfuscate the original timestamps.

Capabilities by OS

Windows XP
On a Windows XP system setmace can reset timestamps on a file on any volume as XP's security model did not restrict access to the physical disk. Further since Windows XP does not have a USN Journal by default the only way to prove the original timestamps of a file will either be through the $Logfile or shell items pointing to the file.

Windows Vista/7/8
On a Windows Vista/7/8 system setmace cannot access the physical disk of any system volume, but it can access the physical disk of non system volumes. In my virtual environment I created two additional partitions one which i ran setmace from and the other where i stored the files whose timestamps i reset.

What does it look like?

After setmace runs this is what the STDINFO timestamps look like:

This is what the FILENAME timestamps look like for both the 8.3 and Unicode filenames:

I've used 1-1-1970 here to make it easy to spot that this is a fake timestamp but notice something here, the milliseconds here are set. This is another standard forensic analysis technique to detect timestamp modification, finding files where the milliseconds are set to 0. In this instance our suspect could set the full timestamp value to any date/time desired or clone a valid file. Scary stuff

The USN Journal contains no entries as the timestamp alteration occured outside the filesystem driver, we do have an entry from the usage of the file prior to its timestamp alteration that we can gather a last true usage time from:

The $Logfile contains the original timestamps of these files from its creation:

However there is no entry in any of the filesystem journal logs we normally rely on that would detail the fact that a timestamp change occured, it would be up to the analyst to look for indicators.

What indicators are left?

Don't lose hope, this isn't a blank check just yet for undetectable timestamp alteration. We still have several analysis points left that can reveal past true timestamps of this file:

• Shell Items contain timestamps, compare them to the MFT to determine if MFT creation date is different. Examples of Shell item containers include
• LNK Files
• Shell bags
• Jumplists
• Other registry keys being identified but that I don't have in front of me :) Sounds like a good post for next week.
• MFT entry and sequence numbers, is the file outside the range that it should be in to be created at that time? 
• Registry MRUs
• System restore points
• Vista/7/8 - Shadow copies - Compare MFTs
• XP - Restore Points  - Parse LNK files for shell items
• Any activity taken place through the filesystem driver prior to the timestamps change will still be in the $logfile and USN
• Prefetch of the setmace execution

Now having said this, not every analyst will think of these things. This will require an additional  steps in your process to look for these kinds of indicators and likely won't be the first thing you check for. Setmace will modify timestamps but it doesn't eliminate any of the IOCs/Artifacts you are already looking for.

I am going to be looking deeper into setmace to see what other artifacts of execution exist, I'll follow up on this on a later blogpost. Until then get some rest, these anti-forensic tools will only get better and you will have to do get better as well to keep up.

Daily Blog #129: Detecting Fraud Sunday Funday 10/27/13 Part 2 - Timestamp changes

Hello Reader,
              Yesterday we went through detecting system clock changes on Windows 7, today we are going to talk about timestamp changing using two different utilities, timestomp and setmace.  Why two timestamp changing tools? They have two different approaches, timestomp and its variants use a Win32 API call to change timestamps that allow them to adjust STDINFO attribute timestamps but not FILENAME attribute timestamps within the MFT. setmace on the other hand can change both and its use is currently not detectable by comparing the STDINFO and FILENAME timestamps. Let's get into it. None of the information in this post is new but I hope to frame it in such a way that it is easy to understand and approach if you don't have a low level understanding of MFT operations.

Initially I was going to cover both tools in this post, but there are enough details and new gotchas between the two to justify taking the time to split this between two posts. Today we will cover timestomp running through meterpeter on a compromised xp host.

Timestomp

Timestomp and other timestamp modification programs that work like it make use of the win32 api to reset timestamps located in the STDINFO MFT attribute for a file. STDINFO contains the timestamps shown to you within explorer and most non forensic file utilities. This method of timestamp modification has a simple detection mechanism that has been a staple for IR and forensic investigators to detect.

Step 1. Grab the MFT from the file system
Step 2. Parse the MFT (I used our ANJP tool)
Step 3. Compare the STDINFO creation/modification and access times to the FILENAME creation/modification and access times.

If the times in step 3 do not equal you have a file with a possibly altered timestamp.

Step 4. Validate your assumptions and make sure the file wasn't distributed by a vendor with a bad timestamp.

Here is an example, we created a file called 'test.txt'. We then used timestomp to reset the timestamp of that file to 0 which in timestomp terms is 1601-01-01 and the STDINFO creation dates look as follows:

When you look at the FILENAME attribute of the same file you will find the original timestamps:

So the comparison here is pretty obvious, not only because without the possibility of time travel there is no computer file being created in 1601 (Oh man, Time travel forensics!) but also because this file named:

is user created and not part of a system package or other vendor delivered weirdness that you can find. In my testing I found a lot of 0 date FILENAME attribute files within the system32 directory which surprised me.

Let's not stop here though, let's talk about why these things exist. When a file is created in NTFS the first thing that is created is a File record. This file record maintains the basic header needed for NTFS to be able to reference and find the file. The second thing created is the STDINFO or standard information attribute which contains metadata about the file, MAC timestamps, etc..., but not the name of the file itself. Instead the name of the file and an additional set of timestamps is kept in a separate attribute called FILENAME.

The first FILENAME attribute will contain the 8.3 version of the files name (so called because it allows 8 characters in the name and 3 in the extension). If the file name is longer than 8 characters in the name or 3 in the extension then a second FILENAME attribute will be created that will store it and another set of timestamps. There can be even more FILENAME attributes but I haven't found any documentation yet that states all the possible mechanisms that generate additional ones. If you have please leave a comment and let me know.

Tomorrow we will show how setmace works and how using journal forensics we can overcome what is a very effective methods with some limitations on newer platforms.

Daily Blog #128: Detecting Fraud Sunday Funday 10/27/13 Part 1 - Time Changes

Hello Reader,
           Let's talk about system clock changes which is one of the areas not covered by this weeks Sunday Funday winning answer. Often times when creating fraudulent documents a suspect will change the date of the system in order to make the document appear to be generated at an earlier time. If you've done these cases on Windows XP you've probably read Steve Bunting's old blog regarding this, http://www.stevebunting.org/udpd4n6/forensics/timechange.htm. However the event ids and sources have changed since XP and since this challenge focuses on Windows 7 I thought it would be useful to show what clock changes now look like.

Windows 7 has a lot more logging turned on by default, as such clock time change events are logged. The entry will be found in the 'Security' event log and the source will be 'Microsoft Windows security auditing'. The task category is 'Security State Change' and the Event ID is 4616. Here is an example:

You can see that the event records the previous and new times, in this case my clock was 9 minutes behind and I set it forward. If the clock were to be changed back you would see the new time be earlier than the previous time.

If you wanted to quickly determine if a user had changed the system clock recently this is the best place to quick filter for Event ID 4616. The security log for a workstation on my system goes back two months and there would be additional copies of it in the shadow copies and possible freesspace if you can recover event log entries from freespace.

So that is a pretty simple way to detect when the system clock for the entire system is changed, pretty easy huh? Tomorrow we will going into individual files timestamps being altered.

UnitedHealth's Latest Blunders Include Lax Fraud Detection, Recalled EHRs - So Why is its CEO Worth $13.9 Million, or is it $34.7 Million?

We managed to go four months since our last post about UnitedHealth, but sure enough, the company that keeps on giving... examples of poor management to contrast with ridiculous management pay... has done so again.

There were two obvious examples of poor management that recently appeared in the media.

Lax Fraud Dection

The background, as noted in a Kaiser Health News article published in September, is that it is now fashionable for American states to outsource some or most of their Medicaid health insurance programs to managed care organizations, often for-profit, as is UnitedHealth.  These programs are meant to provide insurance to the poor and disabled.  Yet once they have outsourced Medicaid, the states may be reluctant to cancel contracts, even if the outsourcing is not working:

 In Florida, a national managed care company’s former top executives were convicted in a scheme to rip off Medicaid. In Illinois, a state official concluded two Medicaid plans were providing 'abysmal' care. In Ohio, a nonprofit paid millions to settle civil fraud allegations that it failed to screen special needs children and faked data.

Despite these problems, state health agencies in these - and other states - continued to contract with the plans to provide services to patients on Medicaid, the federal-state program for the poor and disabled.

Health care experts say that’s because states are reluctant to drop Medicaid plans out of fear of leaving patients in a bind.

'You probably won’t find many examples of states flat out pulling the plug. That’s sort of the nuclear option,' said James Verdier, a senior fellow at Mathematica Policy Research, a nonpartisan think tank. 

Never mind that leaving such programs as is means taking money meant to finance care for the poor and using it to finance fraud, and reward managed care organizations for failing to find fraud.

One of the examples, but not a new one, used in the Kaiser Health News article, involved UnitedHealth:

Linda Edwards Gockel, spokeswoman for the Texas Health and Human Services Commission, said that in 2009, officials were concerned about a pilot program in the Dallas-Fort Worth area run by Evercare, a subsidiary of UnitedHealth Group. The program, which coordinated care and long-term services for elderly and disabled people, had been fined more than $600,000 for not providing proper access to care and failing to coordinate services.

Gockel said Texas decided to cancel the contract 15 months early, but continued to do business with Evercare because the problems in Dallas-Fort Worth weren’t affecting services it was providing elsewhere.

Then in July, NJ.com reported an investigation by the state of New Jersey into UnitedHealth's ability, or lack thereof, to detect fraud in the Medicaid managed care program it runs for the state.

 An HMO that earned $1.7 billion from 2009 to 2010 by providing Medicaid coverage to 350,000 low-income and disabled New Jerseyans didn't try very hard to detect fraudulent billing — identifying only $1.6 million, or one-tenth of one percent in improper payouts, according to a report the Office of the State Comptroller released today.

UnitedHealth did not even come close to fulfilling its obligations to provide sufficient resources to fight fraud:

The HMOs in the Medicaid program are required to dedicate one investigator for every 60,000 Medicaid clients. At that ratio, United's special investigations unit should have been comprised of about six employees whose sole focus is to detect fraud and abuse by medical providers and patients.

Instead, United reported it had dedicated the equivalent of two investigators during the two-year study period based on the amount of hours devoted to the unit. Upon scrutiny, the comptroller found United 'overstated' its staffing levels; the unit had one investigator, the report said. 

Note that this abject failure appeared to violate the contract UnitedHealth had with the state,

UnitedHealthcare Community Plan of New Jersey failed to hire enough investigators and train them properly, in violation of the managed care company's contract with the state, according to the report. 

Presumably, if fraud led to excess program expenses, it would be New Jersey, not UnitedHealth who ultimately had to pay them.  Again, it appears that money meant of pay for health care for the poor and disabled was diverted to fraudsters, and to revenue for UnitedHealth (partly because the latter did not see fit to spend enough money up front to detect the fraud.)  Of course, such management by UnitedHealth helped to increase its already fat revenue stream.

Faulty Electronic Health Records

In September, Bloomberg reported that UnitedHealth had to recall electronic health record software because of faults that likely increased the risk of bad patient outcomes,

UnitedHealth Group Inc has recalled software used in hospital emergency departments in more than 20 states because of an error that caused doctor’s notes about patient prescriptions to drop out of their files.

Certain versions of the software made by the largest U.S. health insurer had a bug that didn’t print information related to the medication and failed to add data to patients’ charts,according to a document filed with the U.S.Food and Drug Administration and posted July 29.

The technology is used in 35 facilities in states including California, New Jersey, and Florida, the document shows. The recall began June 21. There were no reports of patient harm and each facility was notified and received a digital fix, said Kyle Christensen, a spokesman for the UnitedHealth division that makes the Picis ED PulseCheck software that was recalled.

The incident shows how software errors can create dangers for patients at a time when digital health records are being implemented as a cornerstone of President  Barack Obams's modernization of the nation’s health-care system.

The "bug" could potentially harm patients,

 Doctor’s notes are critical for some medications, as they contain directions about diet and use. Failure to include the instructions could lead to serious injury or death, [University of Pennsylvania adjunct professor of sociology and medicine Ross] Koppel said.

It turns out that the Picis software has had other problems that could have increased the risk of harm to patients,

An online database maintained by the FDA shows that Picis Inc., a Wakefield, Massachusetts-based company that UnitedHealth acquired in 2010 for an undisclosed price, has reported six recalls involving electronic health record software since 2009.

One incident in 2011 involved anesthesia-management software sold nationwide that in one instance displayed a patient’s medical information in another patient’s file. Anotherinvolved software sold worldwide where on an unspecified number of occasions, the program failed to display the discontinued status on medication orders. Others included glitches that caused a failure to display appropriate allergy interaction warnings, the freezing of administrative controls, and other issues.

Note that it is the same Picis software that our blogger, InformaticsMD, has alleged lead to the death of his mother,

Alleged flaws in electronic health records have led to lawsuits. Scot Silverstein, a doctor and health-care informatics professor at  Drexel University, sued Abington Memorial Hospital in Pennsylvania in 2011 over the death that year of his 84-year-old mother. He blamed her death on a flaw in her electronic health record that he claims caused a critical heart medication to vanish from her file. One of the systems involved was made by Picis, according to his lawsuit. Picis is not being sued.

Linda Millevoi, a spokeswoman for Abington Memorial, declined to comment.

The latest InformaticsMD posts on this case are here and here.

Summary

These cases are just the latest in a long list of blunders and ethical missteps made by UnitedHealth and its top management.  The most significant examples of the latter about which we have posted appear in the appendix at the end.  The latest examples likely diverted money that should have supported health care for the poor, and and may have put patients' health and lives at risk.

Yet UnitedHealth is now the largest US health insurance company, and it has succeeded in making its current and former CEO fabulously wealthy.  According to filings with the US Security and Exchange Commission (SEC), its current CEO, Stephen J Hemsley, got $13.9 million in 2012, up from $13.4 million in 2011, as we posted here.  However, an analysis by the Minneapolis Star-Tribune that took into account stock gains and shares vesting suggested he got $34,721,122 in 2012, admittedly down from a breathtaking $48,075,614 in 2011. 

The previous UnitedHealth once was worth over a billion dollars due to back dated stock options, some of which he had to give back, but despite all the resulting legal actions, was still the ninth best paid CEO in the US for the first decade of the 21st century (look here).

So UnitedHealth continues to provide us with examples of how top leaders of health care organizations can become tremendously rich, despite, or perhaps because of repeated mismanagement and apparently unethical management on their watches.  Only when we make health care leaders truly accountable for their organizations, and especially for their organizations' ethics and effects on patients' and the public's health will be begin to challenge health care dysfunction.

(Note to readers recently joining us from countries other than the US - UnitedHealth is a multi-national that claims to operate in 33 countries (look here).  For example, its UK web-site is here.  So beware the export of bad management for enhanced prices.) 

 
Appendix - UnitedHealth's Ethical Lapses

 - as reported by the Hartford Courant, "UnitedHealth Group Inc., the largest U.S. health insurer, will refund $50 million to small businesses that New York state officials said were overcharged in 2006."
- UnitedHalth promised its investors it would continue to raise premiums, even if that priced increasing numbers of people out of its policies (see post here);
- UnitedHealth's acquisition of Pacificare in California allegedly lead to a "meltdown" of its claims paying mechanisms (see post here);
- UnitedHealth's acquisition of Sierra Health Services allegedly gave it a monopoly in Utah, while the company allegedly was transferring much of its revenue out of the state of Rhode Island, rather than using it to pay claims (see post here)
- UnitedHealth frequently violated Nebraska insurance laws (see post here);
- UnitedHealth settled charges that its Ingenix subsidiaries manipulation of data lead to underpaying patients who received out-of-network care (see post here).
- UnitedHealth was accused of hiding the fact that the physicians it is now employing through its Optum subsidiary in fact work for a for-profit company, not directly for their patients (see post here).

Ghosts in the Criminal Machine - How a Drug Company Can Plead Guilty to Federal Fraud, Yet No One is Held Responsible

We have often discussed how leaders of health care organizations have become increasingly unaccountable for their actions.  A recent, slightly obscure story shows how a corporate admission of guilt to a felony can be used to prevent anyone, including anyone in corporate management, from being held responsible for that fraud.

Basics of the Settlement

The case was that of ISTA Pharmaceuticals.  The basics appeared in brief wire service articles, like this one from Rueters (via Fox News):

Ista Pharmaceuticals pleaded guilty on Friday to charges it used kickbacks and improper marketing to boost sales of a drug meant to treat eye pain and agreed to pay $33.5 million to settle criminal and civil liability, the U.S. Department of Justice said.

The unit of eye care company Bausch & Lomb pleaded guilty to conspiracy to offer kickbacks to induce physicians to prescribe Xibrom, a drug meant to treat pain after cataract surgery, and conspiracy to promote that drug for unapproved uses, including after Lasik and glaucoma surgeries.

Ista agreed as part of a criminal settlement to a $16.63 million fine and an $1.85 million asset forfeiture. It also agreed to a $15 million civil settlement to resolve allegations that its marketing of Xibrom caused false claims to be submitted to government health care programs.

Kickbacks Disguised as Honoraria and Consulting Fees

Note that unlike many such legal settlements involving large health care organizations, this one involved admissions of guilt to felonious criminal offenses.  The severity of the charges apparently arose out of the egregious conduct of company executives.  Colorful details were supplied by the Buffalo (NY) News:

ISTA, which is based in California, admitted using kickbacks to doctors and an illegal marketing campaign as part of an elaborate scheme to increase its sales of Xibrom.

The scheme, outlined in detail in newly released court papers, ranged from company-provided instruction sheets for doctors to continuing medical education programs to promote the drug.

In many cases, ISTA employees were told not to leave printed materials behind in doctors’ offices or to keep records of their meetings with doctors in order to avoid detection by others.

The company went so far as to offer speaking engagements and consulting appearances to doctors in hopes that they might use Xibrom for non-authorized treatments.

Doctors can legally prescribe drugs for non-FDA approved treatments, but drugmakers are prohibited from promoting their products for those uses.

'Essentially they entered into consulting arrangements to induce physicians to prescribe their drug,' said Jeffrey I. Steger, a lawyer in the Consumer Protection Branch of the U.S. Department of Justice.

When [US District Judge Richard J] Arcara asked if money was the doctors’ motivation, Steger said yes.

'Thousands of dollars,' he told the judge.

So here we have a company admitting that it bribed doctors to prescribe its drug, and its techniques of administering bribes included paying the doctors honoraria to give talks, and paying the doctors as consultants.  As an aside, note that many defenders of "collaboration" among doctors and industry sign the praises of doctors "consulting" for industry, and often see nothing wrong with industry paying doctors for "educational" speeches.  Yet here is more evidence that such paid talks and consulting assignments may be nothing more than marketing, and at times are merely disguised bribery.

An Apparently Tough Penalty

An unusual feature of this settlement was that (per Reuters):

As part of the settlement, Ista will be barred from participating in Medicare and Medicaid,...

That would appear to be the death knell for the company, as reported by Reuters,

Bausch & Lomb, which is based in Rochester, New York, said it was pleased to settle the matter, which involved conduct between January 2006 and March 2011, and that it knew of the government probe well before it purchased Ista.

That purchase closed in June 2012 and Bausch and Lomb plans to wind down the Ista corporate entity by year end.

So Bausch and Lomb bought a company that turned out to be valueless?  But wait,...  there's a trick. 

As detailed in FiercePharma,

 ISTA will be barred from doing business with Medicare, Medicaid, et al, for 15 years. Luckily for Bausch + Lomb, however, it bought ISTA in June 2012,  late enough in the game to actually escape the ramifications of exclusion. The exclusion won't begin until 6 months after the settlement date, giving Bausch + Lomb time to transfer ISTA's products out of that subsidiary and shift the drugs over to the Bausch + Lomb label.

A Crime Committed by... No One?

So Bausch and Lomb gets ISTA's drugs, and essentially can resolve the company's felony convictions by relatively small fines, and through management sleight of hand, can finesse ISTA's disbarment from federal programs..  This will occur despite admissions that someone within ISTA, presumably within ISTA management, perhaps high up in ISTA management, per FiercePharma,

instructed reps to avoid leaving a paper trail of their off-label discussions with doctors. Prosecutors had enough evidence of this to persuade ISTA to plead guilty to a felony fraud charge. 'These instructions were given in order to avoid having their conduct relating to unapproved new uses being detected by others, the Justice Department said. 'ISTA agreed that this conduct represented an intent to defraud under the law.'

So felony fraud was committed, but no person apparently committed it.  It was as if a ghost committed the crime.

 

Not only was a crime committed, but apparently by nobody, the corporation within which the crime was committed also becomes obscure.  ISTA became responsible, but by being bought out by Bausch and Lomb, the more severe penalty directed against ISTA will be meaningless.  

 

Should Bausch and Lomb be responsible?  Of course, they claim they should not.  As reported by Bloomberg, 

 

 Rochester, New York-based Bausch & Lomb said the actions occurred 'well before' it acquired Ista in 2012. 

'Bausch & Lomb is committed to earning trust in everything that we do and is pleased to have resolved this pre-acquisition issue,' Bob Bailey, a Bausch & Lomb spokesman, said in a statement. 

In fact, The Hill reported that the bad behavior took place from 2005 to 2010: 

But consider that while ISTA recently became part of Bausch and Lomb, since 2007, Bausch and Lomb has been wholly owned by private equity firm Warburg Pincus.  In fact, as we discussed in in 2009, some people suspected that this maneuver would have allowed Baush and Lomb to settle multiple suits alleging that its products were faulty and dangerous out of the public eye.  So while ISTA is now really Bausch and Lomb is now really Warburg Pincus, no one in the management of ISTA, Bausch and Lomb, or Warburg Pincus apparently will be held responsible for criminal fraud and kickbacks to doctors, even though guilty pleas for these felonies have been made.  So somehow we have admissions that crimes were committed, crimes that compromised the integrity of doctors, and exposed patients to needless side effects, yet these crimes were apparently committed by ... nobody, by a ghost, and even the machine that ghost was in - was it ISTA, Bausch and Lomb, or Warburg Pincus? - becomes a mystery.  Where is Sherlock Holmes when we need him most?.

Summary

This case thus becomes a really striking example of the impunity of health care corporate managers.  They can commit crimes, even felonies, yet the company, but no human beings, is held responsible.  But the company being a company, it cannot go to jail.  And through the magic of obfuscatory corporate take-overs, which company is guilty is not even apparent. 

As we have said ad infinitum,

 We will not deter unethical behavior by health care organizations until the people who authorize, direct or implement bad behavior fear some meaningfully negative consequences. Real health care reform needs to make health care leaders accountable, and especially accountable for the bad behavior that helped make them rich.

AMA says EHRs create 'appalling Catch-22' for docs - And just how many experts does it take to screw in a light bulb, anyway?

(NOTE:  this post, being about minor matters like death and financial mayhem, is particularly and unusually [even for me] biting and lacking in euphemisms and political correctness.  If you are easily offended and want the latter, and/or believe we all need to be 'nice' about banal issues like patient injury and death, fraud, and other minor matters, click here:  http://www.disney.com and skip the post below.)

You were warned.

---------------------------------------

At some point, so-called EHR "experts" and pundits need to stop being accommodated for their having ignored years of warnings, complaints, "anecdotes" -a particularly egregious term that comes from those who don't understand risk management, especially academics of the echo chamber-egghead subspecies (link) - and other signs that health IT is not a beneficent, omniscient gift from the Lords of Kobol. (The latter is a pun on the business-IT programming language Cobol, of course.)

Instead, they simply need to be ridiculed for being stupid.

I will do so:  folks, you have been, and remain, stupid:

The Bovine Stare of Incomprehension (click to enlarge)

The Bovine Stare of Incomprehension describes the reactions I've gotten over the years to many warnings about health IT.  It was like talking to a cow.

So now there's this:

AMA says EHRs create 'appalling Catch-22' for docs
May 03, 2013 | Tom Sullivan, Editor

As the healthcare industry moves to EHRs, the medical record has essentially been reduced to a tool for billing, compliance, and litigation that also has a sustained negative impact on doctors' productivity, according to Steven J. Stack, MD, chair of the American Medical Association’s board of trustees.

Gee, they're only realizing and complaining about that - now?  In 2013?

“Documenting a full clinical encounter in an EHR is pure torment,” Stack said during the CMS Listening Session: Billing and Coding with Electronic Health Records on Friday.

(What, the "pure torment" in such a mission-critical function only started with the most recent patches installed last month on the nation's EHRs?  EHRs were just dandy until then?)

It's nice to know in May 2013 that “documenting a full clinical encounter [essential to avoid injurious and even lethal mistakes, I anecdotally note - ed.] in an EHR is "pure torment”, several years into an accelerated "National Program for HIT in the HHS" costing hundreds of billions of dollars.

I guess sites like this blog, this site extant since 1998, and other materials written over the years by backwards stubborn health IT iconoclast fear-mongering Luddites were beyond the comprehension level of - those now proffering the exact same pronouncements.

EHRs are also driving the industry toward charts that look remarkably similar because they’re based on templates created by the technology vendors — that includes often using the same words. And that threatens to make doctors appear to be committing fraud by the practice of record cloning, or cutting and pasting from one record to another, when they are not, in fact, acting fraudulently. 

I guess putting patients in mortal danger from note cloning (and to those too stupid to understand why that is, get off your rear end and look it up, I'm not going to spoon-feed you) is a step better than acting fraudulently...

Alongside the federal mandate to implement an EHR under threat of a monetary fine, that creates what Stack called “an appalling Catch-22 for physicians.”

Put another way: The government mandates that doctors use an EHR, the EHR vendors’ templates can sometimes create an appearance of fraud and that, in turn, opens the door for payers to decline reimbursement or, even worse, the government to prosecute doctors for the crime.

I guess actual fraud is just anecdotal.

As dire as that sounds, it's an exception that belies the unproven perception that EHRs perpetuate fraud. “Upcoding does not necessarily equate to fraud and abuse,” said Sue Bowman, AHIMA’s senior director of coding and compliance at the same event. “This is an area where more study is needed. We really need to know the causes. Further research is needed on the fraud risk of using EHRs.”

Sure, let's study while rolling this stuff out as frantically as we can.  We'll fix it later -- and Jesus, I guess, will heal and reanimate any patients actually harmed by the technology (link to ECRI Institute Deep Dive Study: 36 hospitals!  Nine weeks!  171 health information technology-related problems voluntarily reported!  Eight injuries!  Three possible deaths!  All mere "anecdotes", of course).

Indeed, Jacob Reider, MD, CMO of ONC, explained that the government and industry do not have good data right now proving whether or not EHRs trigger fraud and abuse.

Per the IOM, the same industry does not have good data on harms levels.  (The previous link to a recent small ECRI "Deep Dive" study's probably the most robust we've got on that score, and the figures are not encouraging).

So - let's review -

• poor data on harms, 
• poor data on benefits, 
• poor data on fraud and abuse.

 The logical, ethical course of action thus is:

D'OH!  LET'S ROLL THE TECHNOLOGY OUT AS FAST AS WE CAN, AND PENALIZE NON-ADOPTERS BESIDES!

See how simple logic, ethics and clear thinking can be?

“There is concern that some doctors are using the EHR to obtain payments to which they are not entitled,” said Mickey McGlynn of Siemens Medical Solutions and HIMSS EHR Association. “Any fraud is an important issue and we, as the vendor community, take that very seriously.”

Only after independent whistleblower investigations by Fred Schulte of the Center for Public Integrity ("Cracking the Codes"), and by New York Times reporters Reed Abelson and Julie Creswell, that is...

AMA’s Stack offered a triptych of suggestions to CMS and ONC: address EHR usability concerns, provide guidance on EHR use for coding and billing, and make meaningful use stage 2 more flexible for providers.

“My purpose is not to denigrate EHRs,” Stack said, explaining that he believes CMS and ONC are genuinely trying to better the current situation.

Nice to have Caspar Milquetoast  on the side of EHR criticism.

Knock knock, anyone home, McFly?

Knock knock, anyone home, McFly?

Today's EHR systems, for the aforementioned reasons above and more, deserve denigration for patients' sake.

There are efforts underway, within the government and industry, to more comprehensively understand the unintended consequences of EHR implementation.

But let's keep rollin' em out, anyway.  Wheeee!  What fun!

Class action attorneys, are you listening?

-- SS

"Phony Consulting and Royalty Agreements," "Chocolate" Bribes, a Sales Representative Doubling as a Stripper, Oh My - Three Settlements for Othrofix

On this US election day, we seem to be in a mini-squall of cases involving unethical, deceptive, and now very colorful marketing practices used to push drugs and devices. 

We recently discussed a settlement of allegations of deceptive marketing practices and kickbacks by pharmaceutical company Boehringer-Ingelheim (here), a US congressional report alleging deceptive influence by Medtronic marketers over ostensibly scholarly publications (here), a study of documents released after litigation that appear to show how Pfizer had a systemic marketing campaign that used controlled trials as deceptive marketing vehicles (here),

Now three separate settlements by device/ biotechnology company Orthofix have come to light.

Settlement 1 - "Phony Consulting and Royalty Agreements," and Prostitution as Kickbacks, and a Sales Representative as Stripper

A Bloomberg article outlined Orthofix's two latest settlements.  The newest seems the most audacious, or bodacious,

Orthofix International NV, (OFIX) a maker of spinal implants, agreed to pay the U.S. $30 million to settle claims that a subsidiary paid illegal kickbacks and provided prostitutes to doctors in return for orders.

The subsidiary, Blackstone Medical Inc., paid kickbacks to spinal surgeons in the form of phony consulting and royalty agreements, and travel and entertainment to entice them to use its products, the U.S. Justice Department said in a statement today.

This case adds to the mounting pile of evidence that many of the financial relationships among physicians and health care academics and drug, device, biotechnology and other health care corporations are not merely conflicts of interest incidental to innovation.  In particular, Bloomberg reported,

[Whistle blower Susan] Hutcheson alleged that officials of Blackstone, purchased by Orthofix in 2006, violated kickback and false-claim laws by setting up a system to compensate doctors under sham consulting agreements and phony research grants, according to court filings. The sales executive said the company also offered lavish travel opportunities to doctors who implanted its products, the filing said.

Some doctors were paid as much as $8,000 a month under the fictitious consulting agreements, Hutcheson said in her suit, filed in federal court in Massachusetts. Orthofix’s U.S. unit is based in Lewisville, Texas. Some also received phony research grants for as much as $18,000, the suit added.

Then there was this colorful detail,

Blackstone salespeople also were urged to take surgeons out for expensive dinners, escort them to strip clubs and pay for liaisons with prostitutes to get their business, Hutcheson said in the suit.

One female sales manager in Dallas agreed to disrobe and join strippers on stage at the request of two surgeons to whom she was pitching the company’s products, Hutcheson said in her suit. The sales manager was demoted, not fired, over the incident, Hutcheson said in the suit.

We often hear from drug, device, and biotechnology companies that their sales efforts are all about providing needed information to physicians, information they could not otherwise obtain.  In this case, the information appeared to be rather anatomical, but also rather personal.

The AP coverage of this store (here, via Businessweek) also noted that the settlement involved a corporate integrity agreement.  Neither story mentioned any admissions made by the company.  As far as I could tell, no corporate executives suffered any consequences as part of this settlement.

Settlement 2 - Fraud, Obstructing the US Government, and Less Colorful Kickbacks to Promote Bone Growth Stimulators

The article did nor provide any helpful photographs, but it did note that Orthofix recently made a second settlement.

The settlement’s approval comes after Orthofix officials agreed to pay $42 million to resolve a separate whistle-blower suit and a criminal probe of allegations it paid kickbacks to doctors who used its bone-growth stimulators.


One of its units will plead guilty in federal court in Boston federal court to a single felony count of obstructing a U.S. government audit and pay a $7.8 million fine, according to a June 7 regulatory filing. Orthofix also will pay $34.2 million to resolve whistle-blower claims that the company defrauded the federal Medicare program over bone-growth stimulators, which patients wear after surgery to speed healing.

Amazingly, unlike the first settlement, and unlike most settlements we have discussed,

Five Orthofix employees have pleaded guilty to criminal charges in connection with probes of the kickback allegations. Thomas Guerrieri, an Orthofix vice president, pleaded guilty in April to violating the federal anti-kickback statute by setting up fake consulting agreements for doctors who used the company’s products.

Note that we discussed a surgeon who pleaded guilty to accepting kickbacks from multiple device companies, including the Blackstone subsidiary of Orthofix, here in 2008.

Settlement 3 - "Chocolate" Bribes to Mexican Government Officials

Finally, the AP story noted in passing "the recent resolution of a federal Foreign Corrupt Practices action" against the company.  I could not find any news coverage of that, but in July there did appear a SEC press release.

The Securities and Exchange Commission today charged Texas-based medical device company Orthofix International N.V. with violating the Foreign Corrupt Practices Act (FCPA) when a subsidiary paid routine bribes referred to as 'chocolates' to Mexican officials in order to obtain lucrative sales contracts with government hospitals.

The SEC alleges that Orthofix’s Mexican subsidiary Promeca S.A. de C.V. bribed officials at Mexico’s government-owned health care and social services institution Instituto Mexicano del Seguro Social (IMSS). The 'chocolates' came in the form of cash, laptop computers, televisions, and appliances that were provided directly to Mexican government officials or indirectly through front companies that the officials owned. The bribery scheme lasted for several years and yielded nearly $5 million in illegal profits for the Orthofix subsidiary.


Orthofix agreed to pay $5.2 million to settle the SEC's charges.

Also,

Orthofix also disclosed today in an 8-K filing that it has reached an agreement with the U.S. Department of Justice to pay a $2.22 million penalty in a related action.

Summary  

So the box score here includes settlements of legal actions alleging bribery and kickbacks, a corporate integrity agreement, a guilty plea by a company subsidiary to obstructing the US government, and multiple guilty pleas by company executives.  The bribes and kickbacks were provided in various colorful forms.  

The variety of unethical behaviors unearthed suggests a company with a seriously deranged corporate culture.  Whether the various actions taken against it, including the very unusual punishments meted out to some of its apparently mid-level executives will change its behavior, or serve as a lesson to other companies and their leaders is not clear.  Whether they are sufficient to suggest anyone should trust this company, its leaders, or its products seems questionable.   

This story adds to our various compilations of legal settlements and tales of crime, including bribery, kickbacks and fraud involving major health care organizations which suggest serious, deep afflictions within the culture of our commercialized health care system.  Yet almost nowhere, except here on Health Care Renewal are there calls for serious reforms to restore trust in our health care organizations and their leaders.

As we have said endlessly, up to now, such legal settlements seemingly have had no effect on the bad behavior of big health care organizations, while they continually erode trust in these organizations and their leadership, and trust in physicians to put patients ahead of personal gain.

Furthermore, these cases seem to be part of a larger social problem. It seems that nowadays the leadership of large, powerful organizations feels free to promote their own interests using psychologically sophisticated but deceptive marketing and public relations strategies no matter what their effect on the public welfare.

Again as we have said all too many times before, we will not deter unethical behavior by health care organizations until the people who authorize, direct or implement bad behavior fear some meaningfully negative consequences. Real health care reform needs to make health care leaders accountable, and especially accountable for the bad behavior that helped make them rich.

Maybe after all the election hoopla dies down here in the US, we can finally have a serious conversation about health care reform that will make our health care system more trustworthy. 

Just Another Day at the Office: Boehringer Ingelheim Settles Allegations of Deceptive Off-Label Marketing, Kickbacks

Legal settlements by pharmaceutical companies for less than $100 million now seem to barely rate as news in the US. The best report, albeit short, of a by Boehringer Ingelheim for a mere $95 million, seems to be in the Hartford (CT) Courant. The summary was:

Boehringer Ingelheim, a German company with U.S. headquarters in Ridgefield, has agreed to pay $95 million to settle allegations that it promoted four drugs for uses unsupported by research, and that it paid kickbacks to doctors to prescribe the drugs, the U.S. Department of Justice has announced.

It included most of the usual elements.

Off Label Marketing

Two of the drugs in the case are for treating chronic bronchitis and emphysema, and were suggested for children with asthma and coughs from the flu. The drugs had not been tested on children.

'I was concerned that doctors were basing their treatment decisions on false information,' [former Boehringer Ingelheim pharmaceutical representative and whistle blower Ron] Heiden said in the released statement. 'Promoting off-label treatments with potential serious consequences just to increase sales is heinous behavior.'

I note parenthetically that some industry apologists belittle the possible harms of truthful off-label marketing (e.g., look here).  However, at least in this case, the marketing was alleged to be based on falsehoods. 

Furthermore, some industry apologists may also decry the regulation of off-label marketing as a violation of the US Constitutional guarantees of freedom from government infringement on individual free speech.  Note, however, that Boehringer Ingelheim in this case got exclusive rights to market these drugs for many years from the government.  In exchange for these rights, the law restricted their right to market the drugs to approved indications.  

Promotion Beyond the Evidence

The company told doctors Aggrenox was better than Plavis to reduce the risk of heart attacks, but there was no evidence to support that claim, the Justice Department said. The drug had FDA approval to prevent secondary strokes.

Again, the truthfulness of the premises underlying the marketing apparently was questionable, to use charitable phrasing.  

Kickbacks to Physicians

This information came from the AP version of the story, here via the Washington Post:

the settlement resolved allegations that Boehringer Ingelheim paid kickbacks to health care professionals to induce them to prescribe all four of the drugs. These kickbacks included payments for participating in advisory boards, speakers’ training programs, speaker programs and consultant programs.

 Note further that apologists for industry also belittle the importance of the effects of conflicts of interest on health care (e.g., look here).  In this case, activities that are often referred to as species of conflicts of interest, e.g., advisory board membership, speakers board membership, consulting, apparently were meant as vehicles for payments to induce prescribing.  That is, apparently what some might have called conflicts of interests were allegedly kickbacks, or bribes.  As we have discussed before, it is one thing to be paid for legitimate clinical, educational, or scientific activity when such payments might influence professional, educational, or scientific judgments or activities about other matters.  It is entirely another thing to be paid a kickback to favor a drug company's marketing campaign instead of making decisions that put patients first.

A Corporate Integrity Agreement

[From the Hartford Courant]

Also as part of the settlement, Boehringer agreed to enter into an expansive Corporate Integrity Agreement to avoid such marketing in the future.

 We have noted before that such agreements do not seem to deter future bad behavior, (e.g., look here).

No Admission of Wrongdoing by the Company

[from the AP]

'The pharmaceutical industry as a whole has undergone significant changes over the past decade and continues to be under intense scrutiny,' said Greg Behar, president and chief executive officer of Boehringer Ingelheim. 'Likewise, our internal processes and compliance practices have evolved significantly over the years.' The company said it has been cooperating with the government investigation.

Again, if there is no acknowledgement by the company that it did wrong, do we expect it not to do wrong in the future?

Summary

Here was yet another legal settlement that documents the pervasiveness of the influence of marketing and public relations over physicians' professional responsibilities.  This is just one of several recent posts (e.g., here and here) about the malevolent influence of deceptive marketing or public relations on the evidence that health care professionals should be using to make the best possible decisions for individual patients.

Such legal settlements seemingly have had no effect on the bad behavior of big health care organizations, while they continually erode trust in these organizations and their leadership, and trust in physicians to put patients ahead of personal gain. 

Furthermore, these cases seem to be part of a larger social problem.  It seems that nowadays the leadership of large, powerful organizations feels free to promote their own interests using psychologically sophisticated but deceptive marketing and public relations strategies no matter what their effect on the public welfare.

As we have said all too many times before, we will not deter unethical behavior by health care organizations until the people who authorize, direct or implement bad behavior fear some meaningfully negative consequences. Real health care reform needs to make health care leaders accountable, and especially accountable for the bad behavior that helped make them rich.