A spate of smash-and-grab burglaries in Melbourne reinforces the need for GP practices to have clear accounting processes.
At least seven Melbourne medical practices have now had their Tyro terminals stolen and used to process fraudulent transactions, with GP clinics urged not to let financial hygiene fall by the wayside.
The burglaries involved thieves breaking into a practice in the evening, stealing Tyro machines and processing fake claims via the “unmatched refund” feature.
In at least one case, according to The Australian, the break-in and fraudulent billings all happened before practice staff arrived to see the damage and lock down the accounts the next morning.
It is not entirely clear how the thieves get into the machines, which are PIN-protected.
In a statement posted to its website, Tyro Health emphasised that the fraudulent billing activity was unrelated to its Medicare Easyclaim or private health insurance claiming functionality.
“The fraudulent activity instead involved a payments feature known as Unmatched Refunds, which allows refunds to be processed to a card other than the original payment card,” Tyro said.
“This function, while legitimate and protected by a PIN set by the practice administrator, was exploited when terminals were stolen from a small number of healthcare practices.
“Tyro Health identified seven affected practices in Victoria. Once aware of the issue, Tyro immediately disabled the Unmatched Refund feature for all Tyro Health merchants, introduced additional fraud and risk controls, and supported impacted customers.”
No patient data was affected.
David Dahm, an accountant specialising in primary healthcare, said the incidents spoke to the importance of keeping up rigorous financial controls within practices – to protect not just against theft, but also fraud from within the practice.
“The boring bits are where the opportunity [for fraud] exists, because people assume,” he told The Medical Republic.
“And that’s the problem; everybody assumes everybody else is doing the right thing, until somebody loses a chunk of money.”
The aforementioned “boring bits” include keeping PINs secret and completing regular, thorough bank reconciliations.
Mr Dahm laid out a hypothetical situation wherein a practice had used a generic, easily guessable PIN – the clinic’s postcode – to avoid the bother of setting up specific PINs for different staff members or so that all practice staff could access the machine.
“A PIN is like your own personal bank account or tax file number … if you are going around sharing the PIN … you can’t even trace it to the individual staff member,” he said.
“You could have unauthorised billing or unauthorised receipting because, at the very practice level, you haven’t got tight controls over your password numbers. That’s your first problem.”
The second problem plaguing practice financials, he said, is unallocated income.
“Make sure that you’ve identified that it is the practitioner who’s authorised the billing, and it goes back to the practitioner and it’s accounted towards the practitioner and it’s counted from the billing point of view,” Mr Dahm said.
“But then there’s also the receipting and the bank reconciliation, which is where [GP practices can] fall over.”
Often, he said, there’s an attitude that “near enough is good enough”.
“[Practices will often] do an adjustment, … and there’s no explanation, there’s no name, there’s no date of who made the adjustment,” Mr Dahm said.
“What’s the rationale? What’s the purpose?
“This is how a lot of fraud can perpetuate internally, not just externally.”
According to medical indemnity firm Avant, some of the more recent fraud cases perpetrated by practice staff involved reversing payments and pocketing the surplus, manipulating MBS numbers or charging patients separately for fictional “extras”.
Avant risk advisor Gail Wang told TMR the medical indemnifier had observed an increase in financial fraud cases within medical practices over recent years.
“While exact figures are difficult to pinpoint due to the sensitive nature of these cases, we’ve seen a pattern [in that it] tends to come in waves rather than being consistent,” she said.
“Recently, we had a practice owner who decided to conduct an audit after reading an article on this issue and discovered a substantial sum had gone missing, perpetrated by a trusted long-term employee.
Related
“It’s worth noting that fraud can occur at all levels of staff.”
Ms Wang said Avant had handled cases involving sums of up to $80,000, with the actual cost to the practice being higher once Medicare refunds and other financial impacts were factored in.
“We’ve also encountered cases exceeding this amount,” she said.
“These figures should serve as a reminder for practice owners about the importance of robust financial controls.”
It takes an average of two years for a practice to detect fraud, and often it is only discovered by accident.
Perpetrators of internal fraud, Ms Wang said, tended to be long-standing and trusted practice employees.
She also said that, contrary to popular assumptions about gambling problems, the reasons that people committed fraud covered a wide range of issues.
In one case handled by Avant, the perpetrator had simply opened a new bank account and deposited the money but not spent it.
“There can be serious medicolegal consequences for doctors,” Ms Wang said.
“In some cases, we’ve seen Medicare item numbers changed retrospectively to generate higher rebates, which then went into the fraudulent employee’s bank account while being properly receipted in the practice system.
“This creates potential regulatory issues for the practice owners. Fortunately, most cases don’t involve Medicare compliance issues.”
