Why medical billing fraud hurts our wallets — and harms our health

Cybercriminals are always looking for the next arena for theft. With improved security around financial data, they’re now turning to the world of health care, where breaches can not only jeopardize bank accounts but also put people’s physical well-being at risk.

Data theft in health care can happen when hackers access a provider’s or biller’s system or carry out malware attacks to steal personal information from patients’ medical records and claims.

Incidents of these breaches by fraudsters, and subsequent malicious activity, jumped to 59 million patient records in 2022, up from 40 million in 2020. And health care fraud, waste and abuse are costing Americans more than $300 billion a year. Patients can also suffer from lack of medical care when claims are incorrectly denied or inaccurate information is added to their records.

To protect customers from overbilling and fraud, Mastercard is launching a new benefit for cardholders with HealthLock, a company that identifies potential errors and fraud in health care billing and helps protect health care data. The benefit, initially for millions of U.S.-issued HSA and FSA Mastercard cardholders, includes 24/7 privacy monitoring of doctors and claims, medical data breach alerts, automatic medical claims review for overbilling and more. The benefit is expected to be expanded to more U.S. cardholders later this year.

The Mastercard Newsroom spoke to HealthLock CEO Scott Speranza about this growing problem, the impact on patient care and solutions that can help.

Why are health care overbilling fraud and data breaches so prevalent?

Speranza: There are fewer protections in place when it comes to your medical data.
Insurance companies process billions of medical claims a year but they are not always verifying them. Consider how many defrauded pennies and dimes accumulate from billions of claims? Some of these losses stem from simple coding errors. Others are from more questionable practices such as “balance billing,” where providers bill patients for the difference between their charge and the amount a health plan paid. Since doctors and hospitals outsource their billing to third-party companies, it's easy for thieves to step in. It’s a Wild West of sorts, with an average of 160,000 patient records breached every day.

How are criminals going after data?

Speranza: Criminals find information on the dark web or carry out cyberattacks themselves. Once they get the information they need, they’ll file a fraudulent medical claim to an insurer, who then goes ahead and pays it. The criminals collect what they can, then disappear. Everybody in the process has been harmed:  the insurer paid money they shouldn’t have, the provider’s books are wrong, and the patient could end up with a hit on their credit report for failing to pay a fake bill they never even received, since it was sent to a fictitious address.

What are criminals using this data for?

Speranza: Medical data is now 50 times more valuable than your credit card numbers and 250 times more valuable than your Social  Security number. Criminals can profit from using insurance policy identification numbers, group numbers, a person’s deductible, who their doctors are and even standardized codes associated with their care and treatments.

Why is it difficult for people to catch overbilling and fraud?

Speranza: In many of these cases, the doctor isn’t fixing the problem nor is the insurer — they may not even be aware of the problem. The patient must fix it themselves. Most people just aren’t able to navigate the complexity. How is a patient supposed to know if an incorrect code was used? What if the insurance company requested more data and the doctor didn’t provide it? Of the billions of dollars in claims that we’ve appealed for our customers at HealthLock, 70% have been overturned.

What are some real life or even life-or-death consequences of breaches?

Speranza: Over 65% of all bankruptcies involve medical issues. It’s often an unplanned charge of less than $10,000 that drives people to bankruptcy. But imagine if these expenses were fraudulently claimed. A criminal uses information to create and get paid on a fake medical claim for a knee surgery. If you end up actually needing knee surgery one day, it’s already on your record that you had surgery and you are denied service or payment for your legitimate claim. There are horror stories of people whose care has been postponed or denied because of these types of issues.

How is HealthLock helping patients deal with these problems?

Speranza: Our mission is to verify every single health care transaction for the consumer. Rectifying medical billing or insurance issues is largely a manual and lengthy process. When someone joins HealthLock, we sync with your insurance company. Our system downloads medical claims from the past two years and runs them through our data-driven analytics. You can see how many bills would have been flagged at the time for review and can decide if you want us to help recover money from any from the past 90 days. We also check your providers’ historical data breaches to see how secure their systems are. Customers get a score on how private, or at risk, their data is.

How do you address problems with current bills and claims?

Speranza: Once a customer is set up in our system, we automatically monitor incoming claims and flag suspicious ones. The member decides which flagged claims to investigate and negotiate. Some customers prefer to investigate on their own. Others want us to do it. What we’ve found is that nobody else is monitoring claims like this in real time using data-driven analytics and proactively telling you about a breach. Our goal is to give peace of mind. When you’re having a health crisis, your priority should be your health, not dealing with insurance, medical bills and possibly fraudulent costs and data breaches.