At HIMSS 2014, James Robnet, IRS Special Agent in charge of the IRS Tampa, FL field office, presented an update regarding IRS tax fraud and how fraudsters present data breach risks to hospitals, physicians and other health providers. When conducting a meaningful use risk analysis, it is helpful to think about actors who would be motivated to take PHI. Special Agent Robnet presented details regarding a growing scam–tax fraud. The scheme is to file a fraudulent U.S. federal return using a stolen identity, and then claim a refund, using an address accessible to the fraudster.
Hospitals, physician practice and any other providers with patient databases typically contain all of the information that a tax fraudster needs to carry out this scam and file a fraudulent tax return. Criminals might steal entire databases and offer them for resale on the black market, or an employee might use a few records for small-scale fraud.
Until recently, Tampa, Florida was the leading city for IRS tax fraud. Robnet shared details of a recent case, Rashia Wilson, formerly of Tampa and now serving 21 years in prison for stealing more than $3 Million.
She called herself the “first lady” of tax refund fraud and even posted photos of herself with stacks of money on Facebook.
- Self-proclaimed “queen of IRS tax fund” Rashia Wilson from Tampa, Florida posted this photo on her Facebook page to brag about the tax refunds she received after filing fraudulent IRS claims using stolen identities. Photo courtesy of Tampa Police Department.
Special Agent Robnet shared a few details that indicate the challenges faced by the IRS in preventing this fraud. First of all, by law, the IRS must issue refunds within 48 hours of receiving a tax return. Employers are not required to submit their W-2 information until mid-March, so returns submitted prior to that time cannot always be cross-checked with employer-submitted information. Yet another factor that makes this scam easier is IRS’s consumer-friendly approach of offering pre-paid debit cards for refunds, which provide thieves a convenient method for fraudsters to obtain the refund money without the necessity of cashing a check.
According to the Treasury Inspector General’s office, the IRS issued nearly $4Billion in bogus tax refunds in 2012. Agent Robnet shared that refunds under $3,000 are processed quickly. To estimate the number of criminal acts, we could divide the $4 Billlion by an estimated average fraudulent refund of $2,000 to obtain a total of $2 Million in fraudulent returns submitted nationwide. More details regarding the tactics and the underground economy in stolen identities are available at Krebs on Security, a respected IT security blog.
The takeaway for health care organizations is that electronic record and billing data contains valuable data for fraudsters, small and big. Bad actors are actively stealing and using millions of consumer records each year for just this one type of fraud. A myriad of controls to prevent and detect hacking and data theft are appropriate to protect against large-scale theft of the entire database. Additionally, a robust internal audit program is essential to detect and deter the small scale thefts.
