Internal Audit Uncovers Medicaid Fraud
In recent news, a school counselor and the owner of Western Carolina Counseling Services, Joseph Frank Korzelius, pleaded guilty to health care fraud having used the personal information from his students to submit false Medicaid billings. In total, Korzelius was reimbursed $436,229.08 through the North Carolina Medicaid Program over the course of three years for his fraudulent claims.
Korzelius used his position as a Licensed Professional Counselor at Tryon Elementary School in Tyron, NC, to access student records and other personal information. Using this information, he proceeded to submit service billings for individual psychotherapy services which had never taken place.
U.S. Attorney Rose called his actions “reprehensible” and ensured that “he will be punished for them.” Currently, Korzelius could be facing a maximum prison sentence of 10 years along with a $250,000 fine.
Insider access of personal information poses a common and serious threat. While most employees are trustworthy, this case highlights the fact that even those in positions of authority sometimes commit egregious crimes. In order to effectively protect against insider breaches, it is essential to logging a comprehensive set of controls. Best practices includes:
- Software used by the organization must have robust internal audit trails. The log should record who did what and when they did it. It is important that the audit logs show who viewed information, not just the details of additions, changes and deletions.
- A rigorous internal audit program is essential to detect inappropriate access of systems. Because audit logs can have an enormous amount of data, the only practical way to identify improper access is to use specialized audit log monitoring software, from vendors such as FairWarning or Spher.
- Finally, it is important to have sanctions in place in order to deal with employees who violate the organization’s confidentiality policies. Egregious violations such as the one highlighted in this case would call for termination, while lesser violations such as browsing information out of curiosity might involve a lesser sanction.
