253 posts categorized "Fraud" Feed

The New Target That Enables Ransomware Hackers to Paralyze Dozens of Towns and Businesses at Once

[Editor's note: today's guest post, by reporters at ProPublica, is part of a series which discusses trends in cyberattacks and data breaches. It is reprinted with permission.]

By Renee Dudley, ProPublica

On July 3, employees at Arbor Dental in Longview, Washington, noticed glitches in their computers and couldn’t view X-rays. Arbor was one of dozens of dental clinics in Oregon and Washington stymied by a ransomware attack that disrupted their business and blocked access to patients’ records.

But the hackers didn’t target the clinics directly. Instead, they infiltrated them by exploiting vulnerable cybersecurity at Portland-based PM Consultants Inc., which handled the dentists’ software updates, firewalls and data backups. Arbor’s frantic calls to PM went to voicemail, said Whitney Joy, the clinic’s office coordinator.

“The second it happened, they ghosted everybody,” she said. “They didn’t give us a heads up.”

A week later, PM sent an email to clients. “Due to the size and scale of the attack, we are not optimistic about the chances for a full or timely recovery,” it wrote. “At this time we must recommend you seek outside technical assistance with the recovery of your data.”

On July 22, PM notified clients in an email that it was shutting down, “in part due to this devastating event.” The contact phone number listed on PM's website is disconnected, and the couple that managed the firm did not respond to messages left on their cellphones.

The attack on the dental clinics illustrates a new and worrisome frontier in ransomware — the targeting of managed service providers, or MSPs, to which local governments, medical clinics, and other small- and medium-sized businesses outsource their IT needs. While many MSPs offer reliable support and data storage, others have proven inexperienced or understaffed, unable to defend their own computer systems or help clients salvage files. As a result, cybercriminals profit by infiltrating dozens of businesses or public agencies with a single attack, while the beleaguered MSPs and their incapacitated clients squabble over who should pay the ransom or recovery costs.

Cost savings are the chief appeal of MSPs. It’s often cheaper and more convenient for towns and small businesses with limited technical needs to rely on an MSP rather than hire full-time IT employees. But those benefits are sometimes illusory. This year, attacks on MSPs have paralyzed thousands of small businesses and public agencies. Huntress Labs, a Maryland-based cybersecurity and software firm, has worked with about three dozen MSPs struck by ransomware this year, its executives said. In one incident, 4,200 computers were infected by ransomware through a single MSP.

Last month, hackers infiltrated MSPs in Texas and Wisconsin. An attack on TSM Consulting Services Inc. of Rockwall, Texas, crippled 22 cities and towns, while one on PerCSoft of West Allis, Wisconsin, deprived 400 dental practices around the country of access to electronic files, the Wisconsin Dental Association said in a letter to members. PerCSoft, which hackers penetrated through its cloud remote management software, said in a letter to victims that it had obtained a key to decrypt the ransomware, indicating that it likely paid a ransom. PerCSoft did not return a message seeking comment.

TSM referred questions about the Texas attack to the state’s Department of Information Resources, which referred questions to the FBI, which confirmed that the ransomware struck the towns through TSM. One of the 22 Texas municipalities has been hit by ransomware twice in the past year while using TSM’s services.

FBI spokeswoman Melinda Urbina acknowledged that MSPs are profitable targets for hackers. “Those are the targets they’re going after because they know that those individuals would be more apt to pay because they want to get those services back online for the public,” she said.

Beyond the individual victims, the MSPs’ shortcomings have a larger consequence. They foster the spread of ransomware, one of the world’s most common cybercrimes. By failing to provide clients with reliable backups or to maintain their own cybersecurity, and in some cases paying ransoms when alternatives are available, they may in effect reward criminals and give them an incentive to strike again. This year, ProPublica has reported on other industries in the ransomware economy, such as data recovery and insurance, which also have enriched ransomware hackers.

To get inside MSPs, attackers have capitalized on security lapses such as weak passwords and failure to use two-factor authentication. In Wisconsin and elsewhere, they also have exploited vulnerabilities in “remote monitoring and management” software that the firms use to install computer updates and handle clients’ other IT needs. Even when patches for such vulnerabilities are available, MSPs sometimes haven’t installed them.

The remote management tools are like “golden keys to immediately distribute ransomware,” said Huntress CEO Kyle Hanslovan. “Just like how you’d want to push a patch at lightning speed, it turns out you can push out ransomware at lightning speed as well.”

Otherwise, the hacker may spread the ransomware manually, infecting computers one at a time using software that normally allows MSP technicians to remotely view and click around on a client’s screen to resolve an IT problem, Hanslovan said. One Huntress client had the “record session” feature of this software automatically enabled. By watching those recordings following the attack, Huntress was able to view exactly how the hacker installed and tracked ransomware on the machines.

In some cases, Hanslovan said, MSPs have failed to save and store backup files properly for clients who paid specifically for that service so that systems would be restored in the event of an attack. Instead, the MSPs may have relied on low-cost and insufficient backup solutions, he said. Last month, he said, Huntress worked with an MSP whose clients’ computers and backup files were encrypted in a ransomware attack. The only way to restore the files was to pay the ransom, Hanslovan said.

Even when backups are available, MSPs sometimes prefer to pay the ransom. Hackers have leverage in negotiations because the MSP — usually a small business itself — can’t handle the volume of work for dozens of affected clients who simultaneously demand attention, said Chris Bisnett, chief architect at Huntress.

“It increases the likelihood that someone will pay rather than just try to fix it themselves,” Bisnett said. “It’s one thing if I have 50 computers that are ransomed and encrypted and I can fix them. There’s no way I have time to go and do thousands of computers all at the same time when I’ve got all these customers calling and saying: ‘Hey, we can’t do any business, we’re losing money. We need to be back right now.’ So the likelihood of the MSP just saying, ‘Oh I can’t deal with this, let me just pay,’ goes up.”

Because there are so many victims, the hacker can make a larger ransom demand with greater confidence that it will be paid, Hanslovan said. Attacking the MSP “gives you hundreds or even thousands more computers for the same cost of infection,” he said. The “support cost of negotiating the ransom is low” since the attacker typically corresponds with the MSP rather than its individual clients.

Before this year’s ransomware spree, MSPs were susceptible to other kinds of cybercrime. Last October, the U.S. Department of Homeland Security warned in an alert about attacks on MSPs for “purposes of cyber espionage and intellectual property theft.” It added that “MSPs generally have direct and unfettered access to their customers’ networks,” and that “a compromise in one part of an MSP’s network can spread globally, affecting other customers and introducing risk.”

The first spate of ransomware attacks on MSPs, early this year, deployed what is called the GandCrab strain. Then, in an online hacking forum, the hackers behind GandCrab announced their retirement in May. After that, another strain of ransomware known as Sodinokibi ransomware sprung up and began targeting MSPs.

Sodinokibi ransom amounts are “scaled to the size of the organization and the perceived capacity to pay,” according to Connecticut-based Coveware, which negotiates ransoms for clients hit by ransomware. Sodinokibi will not run on systems that use languages including Russian, Romanian and Ukrainian, according to security firm Cylance, possibly because those are native languages for hackers who don’t want to draw the attention of local law enforcement.

Sodinokibi was the strain used in the attack on TSM Consulting Services that encrypted the computers of 22 Texas municipalities, leaving them unable to fulfill tasks such as accepting online payments for water bills, providing copies of birth and death certificates and responding to emails. Most of the towns have not been publicly identified. More than half have returned to normal operations, the Texas Information Resources Department said in an update posted on its website. The hackers sought millions of dollars. The department is "unaware of any ransom being paid in this event," according to the update.

TSM began operations in 1997, and it provides equipment and support to more than 300 law enforcement agencies in Texas, according to its website. It is unclear why the 22 municipalities, and not TSM’s other clients, were affected by the August attack.

One of the 22 Texas municipalities hit last month was Kaufman, a city about 30 miles southeast of Dallas. An attack last November on Kaufman, which forced its police department to cease normal operations, was mentioned in a ProPublica article about two data recovery firms that purported to use proprietary technology to disable ransomware but in reality often just paid the attackers. TSM had enlisted one of the firms, Florida-based MonsterCloud, to help Kaufman recover from the November intrusion.

MonsterCloud waived its fee in exchange for a video testimonial featuring the Kaufman police chief, the president of TSM and the TSM technician who worked with Kaufman. In the testimonial, TSM technician Robby Pleasant said that the attackers had “reset everyone’s password, including the administrator,” and that the data “was locked up and not functioning.” Pleasant said in the video that MonsterCloud was able to “recover all the data” and “saved the day.”

“They can come in and recover even if someone does find a hole in our armor,” Pleasant said in the video.

Last month, attackers again found a hole in TSM’s armor. Using a third-party software vendor, rather than TSM, Kaufman had strengthened its backup system since the first attack, so it was able to restore much of the lost data, City Manager Michael Slye said. Kaufman’s computer systems were down for 24 hours, and the city handled municipal business such as writing tickets and taking payments on paper during that time, Slye said.

But backup safeguards were less effective for Kaufman’s police department, which uses a different type of software than other city offices, Slye said. The department’s dashcam video storage lost months of footage, and it still isn’t working, he said.

“It was not a fun experience to get this twice,” he said.

A TSM employee who declined to be named said the November attack may have been caused by “someone clicking on a bad email. We don’t have definitive information on that. We went into recovery mode immediately.”

PM Consultants, the Oregon provider of IT services to dental clinics, was run by a husband and wife, Charles Gosta Miller and Ava Piekarski, out of their home, according to state records. The firm didn’t employ enough technicians, said Cameron Willis, general manager of Dentech LLC in Eugene, Oregon, which took on many of PM’s former clients. Some former PM clients have complained to Willis that it was unresponsive to their requests for help, he said.

“A lot of dental office facilities don’t want to spend the money on IT infrastructure the way they should,” and they lack the technical know-how to vet providers, Willis said. They “don’t know any better. They don’t have the time to research. If you have someone who does provide some service, it’s very, very easy to see how some of the fly-by-nights would attract such a large clientele. ... When one office finds something that works, they scream it to the hills.”

In the July 22 email announcing its closure, PM said it had been “inundated with calls” on the morning of the ransomware attack, “and we immediately started investigating and trying to restore data. Throughout the next several days and into the weekend, we worked around the clock on recovery efforts. ... However, it was soon apparent the number of PC’s that needed restoration was too large for our small team to complete in any reasonable time frame.” The company was also “receiving hundreds of calls, emails and texts to which we were unable to respond.”

PM said that it had retained counsel to “assist with recovery of any available insurance, payment and billing proceeds,” and that it would be “sending out final invoices in the next two weeks.” Its formal dissolution, it continued, “will include an option to submit a claim” against the company.

Austin Covington, director of Lower Columbia Oral Health, a Longview, Washington, clinic affected by the attack, said it plans to take legal action against PM and declined to comment further. Other victims have not been publicly identified.

Some dentists “did not lose any data” because they had good backup files, Willis said. “Some clients lost some. Some lost a lot.” He doesn’t know whether clients paid ransoms, he said.

Dentech takes a different approach than PM did, Willis said. To prevent ransomware and other breaches, even its own staff has limited access to the remote management software favored by hackers, he said. It has 14 technicians, who often handle services such as software updates in person, he said. Dentech requires clients to use best practices, Willis said. If they decline, the firm requires them to sign a waiver releasing Dentech of liability in case of ransomware or other data loss.

Without such explicit terms, it’s often unclear whether the MSP or its clients are responsible for paying ransoms or recovery costs associated with an attack. Chris Loehr, executive vice president of Texas-based Solis Security, which helps victims negotiate ransom payments, was called in when GandCrab ransomware struck an MSP and encrypted some of its clients’ backup files several months ago. The MSP paid the ransom only for those that used its data backup service, which had failed, Loehr said. Clients who did not buy the backup service had to decide themselves whether to pay the ransom.

This summer, in a separate incident, Loehr negotiated with hackers on behalf of a New York-based MSP that was hit by Sodinokibi ransomware. The MSP didn’t want to pay the total ransom of about $2 million in bitcoin to unlock the files of all its clients, who were primarily architectural and engineering firms. Instead, each of the 200 affected clients was left to decide whether to pay about $10,000 in bitcoin. The MSP’s owner refused for legal reasons; he was worried that, if he was sued over the attack, a payment might be construed as an admission of fault, Loehr said.

The preponderance of low-quality MSPs has fostered the current ransomware onslaught, Loehr said. He noted that little experience or funding is needed to open an MSP; the barriers to entry are few.

“The startup costs are low,” Loehr said. “It doesn’t take much. The way the MSP world works, it’s not like you have to go out and buy $1 million of software. You can operate out of your house. These guys charge their clients up front. There is little cash flow to get this stuff off the ground.”

“Every IT guy thinks he can do this,” Loehr said. “‘Hey, I’m a technology guy.’

“No.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.

 


What Can Be Done Right Now to Stop a Basic Source of Health Care Fraud

[Editor's note: today's post, by reporters at ProPublica, discusses fixes for the security issues discussed in a prior post. It is reprinted with permission.]

By Marshall Allen, ProPublica

In our story about the convicted health care con man David Williams, we detailed how the Texas personal trainer made off with millions by billing some of the nation’s largest health insurers as if he were a doctor providing medical services.

Williams cannily exploited gaping loopholes in the health insurance system that allowed him almost unfettered entry. Taking commonsense steps to close those loopholes, experts say, could block other fraudsters from entry.

1. No one checks to see whether people getting federal ID numbers that allow them to bill insurers have valid licenses. They could.

Anyone billing an insurance company needs a National Provider Identifier, or NPI number. The number is obtained through Medicare, a federal agency that covers people over 65 as well as those with disabilities. But Medicare doesn’t verify that NPI applicants who claim to be licensed are, indeed, licensed by their state’s regulators. The agency could do a license check in less than a minute online or in milliseconds if the process is automated.

Medicare said federal regulations do not allow it to verify NPI applicants’ credentials, so the Department of Health and Human Services might need to revise the regulations. Congress could also order the reform.

2. Insurance companies don’t always verify that the people they are paying are licensed medical providers. They could.

Williams avoided scrutiny from insurers by billing as an out-of-network provider, so he didn’t have a contract with them and didn’t have his credentials verified before receiving payments. At Williams’ trial on federal fraud charges, representatives from the insurance companies testified that it’s not cost effective to review every claim. Almost all are automatically paid.

At a minimum, insurers could ensure that anyone billing them has the proper licensing before a payment is made. Again, this screening would take seconds or less.

Regulators could also require that insurers verify the licenses of those they pay. Some experts say it may take state and federal legislation to mandate it. Officials from America’s Health Insurance Plans, the trade group for the insurers, declined to comment on this suggestion.

3. Insurance companies aren’t reporting most cases of suspected fraud to state and federal regulators. They could.

Many states have a law in place that requires insurers to report suspected cases of fraud to state regulators. This allows regulators to spot serial fraudsters and trends, and it helps officials build criminal and civil cases. But the states have a mishmash of requirements, and many don’t do audits to make sure cases are being reported.

At least three insurance companies caught Williams committing fraud. But the Texas Department of Insurance only received one referral about the case, according to internal documents. If all three insurers that Williams defrauded had referred him, his case could have been prioritized and stopped sooner.

The existing state laws don’t apply to self-funded plans where employers pay for the health benefits. Those are overseen by the federal government. And no federal law requires insurers who administer self-funded plans to report suspected cases of fraud.

State and federal laws would need to be changed to require the consistent reporting of suspected fraud. Experts say audits, and the potential for fines, may also be needed to spur the insurers to file the reports.

Filed under:

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


Health Insurers Make It Easy for Scammers to Steal Millions. Who Pays? You.

[Editor's note: today's guest post, by reporters at ProPublica, discusses security and fraud issues within the health insurance industry. It is reprinted with permission.]

By Marshall Allen, ProPublica

Ever since her 14-year marriage imploded in financial chaos and a protective order, Amy Lankford had kept a wary eye on her ex, David Williams. Williams, then 51, with the beefy body of a former wrestler gone slightly to seed, was always working the angles, looking for shortcuts to success and mostly stumbling. During their marriage, Lankford had been forced to work overtime as a physical therapist when his personal training business couldn’t pay his share of the bills.

So, when Williams gave their three kids iPad Minis for Christmas in 2013, she was immediately suspicious. Where did he get that kind of money? Then one day on her son’s iPad, she noticed numbers next to the green iMessage icon indicating that new text messages were waiting. She clicked.

What she saw next made her heart pound. Somehow the iPad had become linked to her ex-husband’s personal Apple device and the messages were for him.

Most of the texts were from people setting up workouts through his personal training business, Get Fit With Dave, which he ran out of his home in Mansfield, Texas, a suburb of Fort Worth. But, oddly, they were also providing their birth dates and the group number of their health insurance plans. The people had health benefits administered by industry giants, including Aetna, Cigna and UnitedHealthcare. They were pleased to hear their health plans would now pay for their fitness workouts.

Lankford’s mind raced as she scrolled through the messages. It appeared her ex-husband was getting insurance companies to pay for his personal training services. But how could that be possible? Insurance companies pay for care that’s medically necessary, not sessions of dumbbell curls and lunges.

Insurance companies also only pay for care provided by licensed medical providers, like doctors or nurses. Williams called himself “Dr. Dave” because he had a Ph.D. in kinesiology. But he didn’t have a medical license. He wasn’t qualified to bill insurance companies. But, Lankford could see, he was doing it anyway.

As Lankford would learn, “Dr. Dave” had wrongfully obtained, with breathtaking ease, federal identification numbers that allowed him to fraudulently bill insurers as a physician for services to about 1,000 people. Then he battered the system with the bluntest of ploys: submit a deluge of out-of-network claims, confident that insurers would blindly approve a healthy percentage of them. Then, if the insurers did object, he gambled that they had scant appetite for a fight.

By the time the authorities stopped Williams, three years had passed since Lankford had discovered the text messages. In total, records show, he ran the scheme for more than four years, fraudulently billing several of the nation’s top insurance companies — United, Aetna and Cigna — for $25 million and reaping about $4 million in cash.

In response to inquiries, Williams sent a brief handwritten letter. He didn’t deny billing the insurers and defended his work, calling it an “unprecedented and beneficial opportunity to help many people.”

“My objective was to create a system of preventative medicine,” he wrote. Because of his work, “hundreds of patients” got off their prescription medication and avoided surgery.

There are a host of reasons health care costs are out-of-control and routinely top American’s list of financial worries, from unnecessary treatment and high prices to waste and fraud. Most people assume their insurance companies are tightly controlling their health care dollars. Insurers themselves boast of this on their websites.

In 2017, private insurance spending hit $1.2 trillion, according to the federal government, yet no one tracks how much is lost to fraud. Some investigators and health care experts estimate that fraud eats up 10% of all health care spending, and they know schemes abound.

Williams’ case highlights an unsettling reality about the nation’s health insurance system: It is surprisingly easy for fraudsters to gain entry, and it is shockingly difficult to convince insurance companies to stop them.

Williams’ spree also lays bare the financial incentives that drive the system: Rising health care costs boost insurers’ profits. Policing criminals eats away at them. Ultimately, losses are passed on to their clients through higher premiums and out-of-pocket fees or reduced coverage.

Insurance companies “are more focused on their bottom line than ferreting out bad actors,” said Michael Elliott, former lead attorney for the Medicare Fraud Strike Force in North Texas.

As Lankford looked at the iPad that day, she knew something else that made Williams’ romp through the health care system all the more surprising. The personal trainer had already done jail time for a similar crime, and Lankford’s father had uncovered the scheme.

Scanning her ex-husband’s texts, Lankford, then 47, knew just who to call. During the rocky end of her marriage, her dad had become the family watchdog. Jim Pratte has an MBA in finance and retired after a career selling computer hardware, but even the mention of Williams flushed his face red and ratcheted up his Texas twang. His former-son-in law is the reason he underwent firearms training.

Lankford lived a few minutes away from her parents in Mansfield. She brought her dad the iPad and they pored over message after message in which Williams assured clients that their insurance would cover their workouts at no cost to them.

Lankford and Pratte, then 68, were stunned at Williams’ audacity. They were sure the companies would quickly crackdown on what appeared to be a fraudulent scheme.

Especially because Williams had a criminal record.

In early 2006, while Williams and Lankford were going through their divorce, the family computer started freezing up. Lankford asked her dad to help her recover a document. Scrolling through the hard drive, Pratte came upon a folder named “Invoices,” and he suspected it had something to do with Williams.

His soon to be ex-son-in-law had had a promising start. He’d wrestled and earned bachelor’s and master’s degrees at Boise State University, and a Ph.D. at Texas A&M University, before landing a well-paying job as a community college professor in Arlington. But the glow faded when the school suddenly fired him for reasons hidden by a confidential settlement and by Williams himself, who refused to reveal them even to his wife.

Out of a job, Williams had hustled investments from their friends to convert an old Winn-Dixie grocery store into a health club called “Doc’s Gym.” The deal fell apart and everyone lost their money. The failure was written up in the local newspaper under the headline: “What’s up with Doc’s?”

Inside the “Invoices” folder, Pratte found about a dozen bills that appeared to be from a Fort Worth nonprofit organization where his daughter and Williams took their son Jake for autism treatment. As Pratte suspected, the invoices turned out to be fake. Williams had pretended to take Jake for therapy, then created the false bills so he could pocket a cash “reimbursement” from a county agency.

In November 2008, Williams pleaded guilty in Tarrant County District Court to felony theft. He was sentenced to 18 months in jail and was released on bail while he appealed.

Things took an even darker turn about two years later when Williams and Lankford’s 11-year-old son showed up to school with bruising on his face. Investigators determined that Williams had hit the boy in the face about 20 times. Williams pleaded guilty to causing bodily injury to a child, a felony, which, coupled with the bail violation, landed him in jail for about two years.

The time behind bars didn’t go to waste. Williams revised the business plan for Get Fit With Dave, concluding he needed to get access to health insurance.

Williams detailed his plans in letters to Steve Cosio, a tech-savvy friend who ran the Get Fit With Dave website in exchange for personal training sessions. Cosio, whose name later popped up on Lankford’s son’s iPad, kept the letters in their original envelopes and shared them with ProPublica. He said he never suspected Williams was doing anything illegal.

In his letters, Williams said that when he got out, instead of training clients himself, he would recruit clients and other trainers to run the sessions. “It has the potential for increased revenue.”

He asked Cosio to remove the term “personal training” from his website in another letter, adding “95 percent of my clients are paid for by insurance, which does not cover ‘personal training,’ I have to bill it as ‘therapeutic exercise.’ It is the same thing, but I have to play the insurance game … Insurance pays twice as much as cash pay so I have to go after that market.”

Williams downplayed his child abuse conviction — “I can honestly say that I am the only one in here for spanking their child” — and included a dig at his ex-father-in-law, Pratte: “an evil, evil man. He is the reason for my new accommodations.”

Williams told Cosio he needed to raise a quick $30,000 to pay an attorney to get him access to his children. “I will need to get a bunch of clients in a hurry.”

To set his plan in motion, Williams needed what is essentially the key that unlocks access to health care dollars: a National Provider Identifier, or NPI number. The ID number is little known outside the medical community but getting one through the federal government’s Medicare program is a rite of passage for medical professionals and organizations. Without it, they can’t bill insurers for their services.

One would think obtaining an NPI, with its stamp of legitimacy, would entail at least some basic vetting. But Williams discovered and exploited an astonishing loophole: Medicare doesn’t check NPI applications for accuracy — a process that should take mere minutes or, if automated, a millisecond. Instead, as one federal prosecutor later noted in court, Medicare “relies on the honesty of applicants.”

Records show Williams first applied for an NPI under his own name as far back as 2008. But it wasn’t until 2014 that Williams began to ramp up his scheme, even though now he wasn’t just unlicensed, he was a two-time felon. He got a second NPI under the company name, Kinesiology Specialists. The following year, he picked up another under Mansfield Therapy Associates. In 2016, he obtained at least 11 more, often for entities he created in the areas where he found fitness clients: Dallas, Nevada, North Texas and more. By 2017, he had 20 NPIs, each allowing him a new stream of billings.

For every NPI application, Williams also obtained a new employer identification number, which is used for tax purposes. But he never hid who he was, using his real name, address, phone number and email address on the applications. He added the title “Dr.” and listed his credentials as “PhD.” Under medical specialty he often indicated he was a “sports medicine” doctor and provided a license number, even though he wasn’t a physician and didn’t have a medical license.

Medicare officials declined to be interviewed about Williams. But in a statement, they acknowledged that the agency doesn’t verify whether an NPI applicant is a medical provider or has a criminal history. The agency claims it would need “explicit authority” from the Department of Health and Human Services to do so — and currently doesn’t have it. Regulations, and potentially the law, would need to be revised to allow the agency to vet the applications, the statement said.

Medicare does verify the credentials of physicians and other medical providers who want to bill the agency for their Medicare patients.

To those charged with rooting out fraudsters, the current regulations seem like an invitation to plunder. “Medicare has to make sure that the individuals who apply for NPIs are licensed physicians — it’s that simple,” said Elliott, the former prosecutor who ran about 100 health care fraud investigations.

Elliott, who now does white-collar criminal defense, said he knows of two other cases currently under federal investigation in which non-licensed clinic administrators lied to obtain NPI numbers, then used patients’ information to file false claims worth millions.

Medicare warns NPI applicants that submitting false information could lead to a $250,000 fine and five years in prison. But since Medicare started issuing NPIs in 2006, officials said they could not identify anyone who had been sanctioned.

So, for those bent on fraud, the first step is easy; the online approval for an NPI takes just minutes.

Williams got out of jail in November 2012 and launched an aggressive expansion with an irresistible pitch: Time to get those private personal training sessions you thought you couldn’t afford!

“Now accepting most health insurance plans,” his Get Fit With Dave website announced. He added a drop-down menu to his site, allowing potential clients to select their health insurance provider: Aetna. Blue Cross Blue Shield. United.

He began building a team, soliciting trainers from the strength and conditioning department at Texas Christian University. He met with new recruits at local fast food joints or coffee shops to set them up. To the trainers, the business appeared legit: They even signed tax forms. Before long, Williams’ network stretched throughout Texas and into Colorado, Idaho and Nevada.

One Fort Worth trainer recalled meeting Williams through one of his clients, a Southwest Airlines flight attendant. Williams, he said, seemed like a real doctor, and it wasn’t hard to imagine an insurer’s wellness program covering fitness. Plus, it was good money — about $50 an hour and Williams paid him for multiple clients at once if he did boot camps, said the trainer, who asked that his name not be used so he wouldn’t be tarnished by his association with Williams. Williams, he said, even gave him an iPad, with “Kinesiology Specialists” etched on the back, to submit bills and paid him via direct deposit.

Clients came to Williams through his business cards, his website and word-of-mouth. Williams, records show, quickly verified if their insurance companies would cover his fees — although he didn’t tell clients that those fees would be billed as medical services, not personal training. To ensure the clients paid nothing, he waived their annual deductibles — the portion patients pay each year before insurance kicks in. Authorities said Williams banked on being able to file enough claims to quickly blow through their deductibles so he could get paid.

Meredith Glavin, a flight attendant with Southwest, told the authorities she got in touch with Williams after her co-workers said insurance was covering their workouts. After providing her name, address and insurance information on the Get Fit With Dave website, Williams emailed back with the good news: “Everything checks out with your insurance. My services will be covered at no cost to you.”

During a follow-up phone call, Glavin said, they discussed her fitness and weight loss goals and then Williams connected her with a trainer. The workouts were typical fitness exercises, she said, not treatment for a medical condition. But insurance claims show Williams billed the sessions as highly complex $300 examinations to treat “lumbago and sciatica,” a condition in which nerve pain radiates from the lower back into the legs.

He used his favorite billing code — 99215 — to bill Glavin’s insurer, United, the claims show. The code is supposed to be used less often because it requires a comprehensive examination and sophisticated medical decision-making, warranting higher reimbursement. In all, Williams used the code to bill United for more than $20.5 million — without apparently triggering any red flags at the insurer. For that code alone, the insurance giant rewarded him with $2.5 million in payments.

Eventually, Get Fit With Dave expanded to about a dozen trainers and around 1,000 patients, said a source familiar with the case. And, court records show, the checks from insurance companies, some over $100,000, kept rolling in.

Williams bought a couple of pick-up trucks, a new Harley Davidson motorcycle and a fancy house. But greed didn’t seem his only motivation. “I made $50K last week,” he wrote in a December 2014 text to a friend. “Seriously it means nothing. It is not about the money. I have had a lot taken away from me, and maybe I am trying to prove something ... Maybe it is my way of giving the finger to everyone???”

A few miles away, his former father-in-law watched Williams’ illegal business blossom with growing outrage. Pratte kept his grandson’s iPad on his desk, near his computer, and checked it every day. The texts appeared boring, even routine, but Pratte knew they were evidence of ongoing fraud.

“I have another flight attendant friend who is interested in signing up as well,” a new client texted to Williams.

“Tell him to show up with his insurance card,” Williams replied.

To Pratte, the text messages were a “gold mine.” This is the stuff that will really nail his rear end, he recalled thinking as he read the messages. He couldn’t wait to share his findings with the insurers. How often do they get cases wrapped up in a bow?

But when he and Lankford began contacting insurers, they were soon bewildered. When Pratte told Aetna that he wanted to report a case of fraud, he said the customer service representative asked for his member number, then told him non-members couldn’t report criminal activity. Lankford, who happened to be covered by Aetna, made the complaint, but they say they never heard back.

An Aetna spokesman told ProPublica that the insurer could find no record of Pratte’s call but said the company’s fraud hotline takes tips from anyone, even anonymous callers.

Lankford sent an email to Cigna’s special investigations unit in January 2015 “regarding one of your providers that concerns me.” She provided Williams’ company name, address, cellphone number, Social Security number and more, and she described his scheme. “He has no medical license or credentials,” she wrote. “He was in prison for felony theft.”

A supervisory investigator called to ask for the names of personal trainers, which Lankford provided. But, again, there was silence.

Pratte could see many of the clients worked for Southwest and had their benefits administered by United. He jotted down the name, address, phone number, birth date and member identification number of the potential clients on a yellow legal pad — all the information the insurer and Southwest would need to investigate the fraud. This is so easy, Pratte recalled thinking as he wrote down the details, all they have to do is cross-reference this.

Because Southwest self-funds its benefits, the company was on the hook for the bills, which would eventually total about $2.1 million according to a source familiar with the case. It paid United to administer the company’s plan and ensure the claims it covered were legitimate. Pratte said he called the airline in the fall of 2015 and spoke to someone in the human resources department who said they would pass the information to the right people. “That was the last I heard,” he said. Southwest declined to comment for this story. It still pays United to administer its benefits.

Pratte started calling United in the fall of 2014 and spoke to a fraud investigator who took the information with interest, he said. But within a couple of weeks he was told she moved to a different position. Pratte continued calling United over the following two years, making about a dozen calls in total, he said. “He is not a doctor,” Pratte told whoever picked up the phone. “So, I don’t see how he can be filing claims.”

In early 2015, Lankford emailed additional information to the investigator. The investigator wrote back, thanking Lankford and saying she forwarded the details to the people who research licenses. “They will investigate further,” she said in the email.

Meanwhile, the text messages showed Williams continuing to sign up — and bill for — United members.

Frustrated, Pratte made one final call to United in 2016, but he was told the case was closed. United said he’d have to call the Texas Department of Insurance for any additional details. Pratte had already filed a complaint with the regulator but reached out again. The department told him that because he hadn’t personally been defrauded, it would not be able to act on his complaint.

To Pratte, it appeared he had struck out with Aetna, United, Southwest and the Texas Department of Insurance. “I was trying to get as many people as possible to look into it as I could,” Pratte said recently. “I don’t know if that tells me they are incompetent. Or they don’t care. Or they’re too busy.”

A case summary, prepared by the Texas Department of Insurance, shows it first learned of the Williams case in January 2015 but lacked staff to investigate. A spokesman said the regulator later received Pratte’s complaint but didn’t pursue it after learning that United had already investigated and closed its case.

Meanwhile, some Get Fit With Dave clients had begun noticing odd claims on their insurance statements.

Nanette Bishop had heard about Williams when a fellow Southwest flight attendant handed her the trainer’s business card and said, “You’ve got to meet Dr. Dave.” (Bishop said the Southwest legal department advised her not to speak with ProPublica. Details about her interaction with Williams come from court records.)

Bishop said she started strong with the workouts but “fizzled” quickly. Her daughter, who was also on her plan and signed up for workouts, only did a couple sessions. Bishop said she had a hard time staying consistent because she was traveling a lot — for much of October 2014 she was in Germany. Later, she noticed in her insurance records that Williams had been paid for dozens of sessions over many months, even during the time she’d been abroad.

Bishop texted Williams in January 2015 to tell him he needed to refund all the money. “I never worked out four [times] a week and [my daughter] quit the first week of September,” she wrote. Bishop also called United and Southwest Airlines to report the overbilling.

About a month later, Williams received a letter from a subsidiary of United ordering a review Bishop’s medical records.

Another client texted Williams with concerns that her United insurance plan had been billed for 18 workouts in December 2015. That couldn’t be accurate, the woman wrote. “I had to take December off due to my work schedule and family in town,” she wrote. “I understand that people need to be paid but this seems excessive.”

While Pratte, Lankford and some of Williams’ clients repeatedly flagged bogus bills, the mammoth health insurers reacted with sloth-like urgency to the warnings. Their correspondence shows an almost palpable disinterest in taking decisive action — even while acknowledging Williams was fraudulently billing them.

Cigna appears to have been the quickest to intervene. In January 2015, Cigna sent Williams a letter, noting that he wasn’t a licensed medical provider and had misrepresented the services he provided. The insurer said he needed to pay back $175,528 and would not be allowed to continue billing.

“I just got a $175K bill in the mail,” Williams texted to a friend. “Cigna insurance has been overpaying me for the past 18 months and they want it back. I knew that they were reimbursing at too high of a rate so I can’t really complain.”

By then Williams had more than one National Provider Identifier, so he just switched numbers and kept billing Cigna. More than a year later, in May 2016, Cigna sent another letter, saying he now owed $310,309 for inappropriate payments. In total, the company paid him more than $323,000. Williams never gave any of it back. Cigna declined to comment about the Williams case.

Aetna wrote Williams in January 2015 to say it had reviewed his claims and found he wasn’t licensed, resulting in an overpayment of $337,933. The letter said there appeared to be “abusive billing” that gave “rise to a reasonable suspicion of fraud.” But the insurer also gave him a month to provide documentation to dispute the assessment. When Williams hadn’t responded in three months, an Aetna investigator wrote to Williams’ attorney, saying, “We are willing to discuss an amicable resolution of this matter,” and gave him two more weeks to respond.

That August, an Aetna attorney sent Williams’ attorney another letter, noting that Williams had submitted “fraudulent claims” and had continued to submit bills “even after his billing misconduct was identified.”

In January 2016 — a year after Aetna first contacted him — Williams agreed to a settlement that required him to refund the company $240,000 “without admission of fault or liability by either party.”

But that didn’t stop, or even appear to slow, Williams. Not only did he renege on that promise, he picked one of his other NPI numbers and continued to file claims resulting in another $300,000 in payments from Aetna. In total, Aetna paid Williams more than $608,000.

In emails, Ethan Slavin, a company spokesman, didn’t explain why Aetna settled with Williams instead of pursuing criminal prosecution. He blamed the insurer’s slow response on the lengthy settlement process and Williams’ tactic of billing under different organizations and tax identification numbers. Williams did repay some of the money before defaulting, Slavin said.

United, one of the largest companies in the country, paid out the most to Williams. The insurer brought in $226 billion last year and has a subsidiary, Optum, devoted to digging out fraud, even for other insurers. But that prowess is not reflected in its dealings with Williams.

In September 2015, United wrote to Williams, noting his lack of a license and the resulting wrongful payments, totaling $636,637. But then the insurer added a baffling condition: If Williams didn’t respond, United would pay itself back out of his “future payments.” So while demanding repayment because Williams was not a doctor, the company warned it would dock future claims he would be making as a doctor.

Williams responded a month later, noting that he had a Ph.D. in kinesiology and did rehab, so he met the qualifications of a sports medicine doctor.

United responded in November 2015 with the same argument: he wasn’t licensed and thus needed to repay the money, again warning that if he didn’t, United would “initiate repayment by offsetting future payments.”

Williams took United up on its offer. “Please offset future payments until the requested refund amount is met,” he responded.

Then Williams turned to another NPI number, records show, and continued submitting claims to United.

In January 2016, Williams agreed to settle with United and repay $630,000 in monthly installments of $10,000. Inexplicably, the agreement refers to Williams as “a provider of medical services or products licensed as appropriate under the laws of the state of TX” and notes that the settlement doesn’t terminate his continued participation in United’s programs.

In 2016, Williams obtained a new batch of NPI numbers from Medicare. As usual, he used his real name, address and credentials on the applications. The additional numbers allowed him to continue to make claims to United.

In November 2016, United investigators caught Williams again — twice. They sent two letters accusing him of filing 820 claims between May 2016 and August 2016 and demanded repayment. Again, almost inconceivably, the company threatened to cover his debt with “future payments.”

In December 2016, United notified Williams he had only repaid $90,000 of the initial $630,000 he owed and was in default. The following month, United told him he had to pay the remaining $540,000 within 20 days or he could face legal action. Williams replied, saying he wanted to renegotiate the settlement, but the insurer declined. Late that month, United said its inappropriate payments to Williams had ballooned to more than $2.3 million.

A United spokeswoman said it was difficult to stop Williams because he used variations on his name and different organizations to perpetrate the fraud. “He did everything he could not to get caught,” Maria Gordon-Shydlo said.

She acknowledged getting the complaints from Lankford and Pratte, as well as United members, but defended the response of the company, saying it had eventually referred Williams to law enforcement.

The insurer is continuing “to improve our processes and enhance our systems so we can catch these schemes on the front-end,” she said, “before a claim is paid and to recoup dollars that were paid as a result of provider misconduct.”

In all, United paid Williams more than $3.2 million — most of it after the insurer had caught him in the act.

But in reality, the losses weren’t all United’s. Most of the fraud was funded by its client, Southwest.

Many health care experts and fraud investigators said they weren’t surprised to hear that insurers were slow to stop even such an outlandish case of fraud.

“It’s just not worth it to them,” said Dr. Eric Bricker, an internist who spent years running a company that advised employers who self-funded their insurance.

For insurance behemoths pulling in billions, or hundreds of billions, in revenue, fraud that sucks away mere millions is not even a rounding error, he said.

And perhaps counter-intuitively, insurance companies are loath to offend physicians and hospitals in their all-important networks — even those accused of wrongdoing, many experts have said. They attract new clients by providing access to their networks.

This ambivalence toward fraud, Bricker and others said, is no secret. Scammers like Williams are “emblematic of gazillions of people doing variants of the same thing,” Bricker said. Insurers embolden them by using a catch-and-release approach to fraud, in which the insurers identify criminals, then let them go.

Joe Christensen has pursued fraud for both government and commercial insurers, serving as a director in Aetna’s Special Investigations Unit, a team of more than 100 people ferreting out fraud, from 2013 to 2018 and as the director of Utah’s insurance fraud division for 13 years. Fraud in government programs, like Medicare and Medicaid, gets more publicity, he said, and has dedicated arms of agencies pursuing fraudsters. But the losses may be even greater in the commercial market because the dollar levels are higher, he said.

Some commercial insurers take a passive approach, Christensen said, in part because it’s expensive to press a fraud case. At Aetna, he said, investigators would identify cases of apparent fraud, but it was up to the executives and legal team to decide how to handle them. Taking fraudsters to civil or criminal court requires resources, so the company often settled for trying to get repaid through settlements or blocking a suspect provider from billing, he said.

Christensen said while he was at Aetna, investigators almost never sought to partner with law enforcement agencies to pursue criminal cases. Last spring, he became the SIU director for a Southern California-based Medicaid plan called L.A. Care Health Plan, where he was allowed to take a proactive approach. In just about a year, he said, his much smaller team began 37 criminal investigations with law enforcement agencies. The cases are in different stages, but so far there have been seven arrests, four search warrants and one conviction. Christensen recently took a job with an insurer in Utah, where his family lives, so he could be closer to them.

ProPublica asked Aetna how many criminal cases it had pursued in 2017 and 2018. A company official said the question could not be answered because it does not track such cases.

In the spring of 2017, more than four years after Williams first began billing insurers, one of them, United, finally brought him to the attention of the FBI’s heath care fraud squad.

One May day, agents from the FBI and the newly engaged Texas Department of Insurance knocked on the door of Williams’ sprawling six-bedroom home — a spread he’d boasted to one trainer that he’d purchased with cash. Williams didn’t invite them in. He refused to answer questions, claiming his attorney had dealt with the questionable billings.

Undaunted, just days later, Williams used a freshly minted NPI number to send another bill to United. The last known claim he submitted was on June 3, 2017, according to a source familiar with the investigation.

That October, Williams’ long run came to an end when he was arrested by the FBI.

The following May, Williams’ trial began in the United States District Court for the Northern District of Texas. The prosecution didn’t have to make a complex argument. Williams had billed for non-medically necessary services and wasn’t a medical provider — a “slam dunk case” said the agent on the case.

But the testimony served as a cheat sheet for how to defraud the health insurance industry and mostly get away with it.

Without irony, the prosecutor, P.J. Meitl, argued that Williams had preyed on a health insurance system that relies “on trust, relies on honesty” when it pays claims.

He called fraud investigators from Aetna, Cigna and United, who testified that their companies auto-pay millions of claims a year. It’s not cost effective to check them, they said. “Aetna relies on the honesty of the person submitting the claim verifying that it’s true,” testified Kathy Richer, a supervisor in Aetna’s Special Investigations Unit.

In a similar manner, Medicare trusts that people who apply for NPI numbers are actually medical providers, Meitl told the jury. Medicare “does not investigate or verify whether an individual is actually a health care provider before issuing an NPI number.”

Williams’ attorney, Wes Ball, argued that the case was the sign of a “broken” health care system and blamed insurers for making a financial decision not to review Williams’ claims before paying them. United failed to protect Southwest’s money, Ball said, and “might be a vendor you might not want to hire.”

As for the NPI numbers, anyone could have checked Williams’ credentials, he said.

The jury wasn’t convinced, convicting Williams of four counts of health care fraud.

The judge sentenced him to a little more than nine years in federal prison and ordered him to pay $3.9 million in restitution to United, Aetna and Cigna.

Insurers promote themselves as guardians of health care dollars. United says on its website it wants to “help employers manage” medical expenses, resulting in “lower costs.” Aetna promises employers “affordability.” Cigna promises “increased savings.”

But private health insurers allow so much fraud that prosecutors use an idiom to describe the rare person who gets caught: “Pigs get fat, hogs get slaughtered.”

“Pigs” can steal millions, if they bill just enough to avoid notice. But if they get greedy and bill too many millions, they “become a data outlier,” said Elliott, the former fraud task force prosecutor. “You get slaughtered.”

Williams took years to reach hog status.

Part of the problem, experts say, is that health care fraud is often misunderstood as shafting greedy insurers — not the folks paying for health insurance. Ultimately, insurers don’t bear the cost. For their self-funded clients, like Southwest, they merely process the claims. For their traditionally insured clients, they can recover any losses by increasing deductibles and premiums and decreasing coverage.

Williams appears to have duped more than insurers. His twin brother, Dan Williams, recently retired as the assistant special agent in charge of the Dallas field office for criminal investigation for the Internal Revenue Service. He spent 27 years ferreting out fraud, and he gets the irony. “You’re not the first person to point that out,” he said.

Dan Williams said his brother’s sudden riches from the training business piqued his investigative instincts, but he “trusted” his brother when “he told me he was authorized to bill insurance companies.”

In his letter to ProPublica, Williams did not address the issues in the case or even acknowledge that any of his activities were wrong. Instead, he blamed his former wife. “It grieves me that the consequences of a bitter and hurtful divorce have resulted in the ending of this unprecedented and beneficial opportunity to help many people,” he wrote.

Lankford and Pratte are proud of their part in ending his scheme, if still baffled that they had to play such a central role in uncovering it.

If it hadn’t been for the iPad messages, “I have to believe he would still be billing insurance companies from a Caribbean island,” Pratte said.

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.


Learn To Spot Employment Scams So You Don't Get Tricked And Lose Money

Many consumers like work-at-home jobs. Fast broadband speeds have made work-at-home jobs attractive for consumers. Scammers and fraudsters find them attractive, too. Work-at-home scams are very profitable for online criminals. CBS News explained how one person lost $35,000 to an employment scam:

"Brad Helding wanted some extra work so he posted his resume on some job sites and soon got an email from a company calling itself Delta Express Couriers. The job? An offer to work from home as a "purchase clerk," buying electronics in large quantities, then shipping them to the company's clients, mostly overseas. The company told him since Montana has no sales tax, they'd save money running the purchases through him. The job paid over $72,000 per year... Helding said he did his research, checking the company's website... The company then sent him $2,000 so he bought iPhones at a Best Buy and shipped them off as instructed. He says for the next batch of purchases, the company told him to temporarily use his own credit card..."

Ultimately, Helding bought and shipped $35,000 worth of equipment. The $2,000 check from the company bounced. A credit card the company later provided was stolen and never valid. Now, Helding owes the $35,000 bill. Plenty of other consumers have been tricked by employment scams:

"He's one of thousands of Americans who fall for employment scams. Employment fraud tops the list of the riskiest scams targeting consumers in 2018, according to a new report by the Better Business Bureau (BBB)..."

Experts advise work-at-home candidates to know the warning signs of job scams, and to thoroughly research the company beyond its web site. Use reputable sources, like the BBB's Search Tool, online company directories (e.g., Dun & Bradstreet, Hoovers, Library of Congress). Visit the websites for the Attorney General (AG), or the Secretary of State (SOS), in the state where you live to further research the company.  In many states, the SOS is responsible for maintaining lists of licensed/registered persons and businesses.

If you don't have internet access, visit your local public library for more business directories. Demand a face-to-face meeting with the hiring manager. Visit the company's office location, if possible. Don't complete any application forms with sensitive personal information (e.g., name, address, Social Security number, tax ID numbers, bank account numbers, etc.) until after you've verified the company is legitimate.

The bounced check Helding experienced reminded me of the check scam, which is popular among criminals. Online criminals are crafty and persistent. Work-at-home candidates need to be crafty and persistent, too.


Survey: People In Relationships Spy On Cheating Partners. FTC: Singles Looking For Love Are The Biggest Target Of Scammers

Happy Valentine's Day! First, BestVPN announced the results of a survey of 1,000 adults globally about relationships and trust in today's digital age where social media usage is very popular. Key findings:

"... nearly 30% of respondents admitted to using tracking apps to catch a partner [suspected of or cheating]. After all, over a quarter of those caught cheating were busted by modern technology... 85% of those caught out in the past now take additional steps to protect their privacy, including deleting their browsing data or using a private browsing mode."

Below is an infographic with more findings from the survey.

Valentines-day-infograph-bestvpn-feb2019

Second, the U.S. Federal Trade Commission (FTC) issued a warning earlier this week about fraud affecting single persons:

"... romance scams generated more reported losses than any other consumer fraud type reported to the agency... The number of romance scams reported to the FTC has grown from 8,500 in 2015 to more than 21,000 in 2018, while reported losses to these scams more than quadrupled in recent years—from $33 million in 2015 to $143 million last year. For those who said they lost money to a romance scam, the median reported loss was $2,600, with those 70 and over reporting the biggest median losses at $10,000."

"Romance scammers often find their victims online through a dating site or app or via social media. These scammers create phony profiles that often involve the use of a stranger’s photo they have found online. The goals of these scams are often the same: to gain the victim’s trust and love in order to get them to send money through a wire transfer, gift card, or other means."

So, be careful out there. Don't cheat, and beware of scammers and dating imposters. You have been warned.


Walgreens To Pay About $2 Million To Massachusetts To Settle Multiple Price Abuse Allegations. Other Settlement Payments Exceed $200 Million

Walgreens logo The Office of the Attorney General of the Commonwealth of Massachusetts announced two settlement agreements with Walgreens, a national pharmacy chain. Walgreens has agreed to pay about $2 million to settle multiple allegations of pricing abuses. According to the announcement:

"Under the first settlement, Walgreens will pay $774,486 to resolve allegations that it submitted claims to MassHealth in which it reported prices for certain prescription drugs at levels that were higher than what Walgreens actually charged, resulting in fraudulent overpayments."

"Under the second settlement, Walgreens will pay $1,437,366 to resolve allegations that from January 2006 through December 2017, rather than dispensing the quantity of insulin called for by a patient’s prescription, Walgreens exceeded the prescription amount and falsified information on claims submitted for reimbursement to MassHealth, including the quantity of insulin and/or days’ supply dispensed."

Both settlements arose from whistle-blower activity. MassHealth is the state's healthcare program based upon a state law passed in 2006 to provide health insurance to all Commonwealth residents. The law was amended in 2008 and 2010 to make it consistent with the federal Affordable Care Act.

Massachusetts Attorney General (AG) Maura Healey said:

"Walgreens repeatedly failed to provide MassHealth with accurate information regarding its dispensing and billing practices, resulting in overpayment to the company at taxpayers’ expense... We will continue to investigate cases of fraud and take action to protect the integrity of MassHealth."

In a separate case, Walgreen's will pay $1 million to the state of Arkansas to settle allegations of Medicaid fraud. Last month, the New York State Attorney General announced that New York State, other states, and the federal government reached:

"... an agreement in principle with Walgreens to settle allegations that Walgreens violated the False Claims Act by billing Medicaid at rates higher than its usual and customary (U&C) rates for certain prescription drugs... Walgreens will pay the states and federal government $60 million, all of which is attributable to the states’ Medicaid programs... The national federal and state civil settlement will resolve allegations relating to Walgreens’ discount drug program, known as the Prescription Savings Club (PSC). The investigation revealed that Walgreens submitted claims to the states’ Medicaid programs in which it identified U&C prices for certain prescription drugs sold through the PSC program that were higher than what Walgreens actually charged for those drugs... This is the second false claims act settlement reached with Walgreens today. On January 22, 2019, AG James announced that Walgreens is to pay New York over $6.5 million as part of a $209.2 million settlement with the federal government and other states, resolving allegations that Walgreens knowingly engaged in fraudulent conduct when it dispensed insulin pens..."

States involved in the settlement include New York, California, Illinois, Indiana, Michigan and Ohio. Kudos to all Attorneys General and their staffs for protecting patients against corporate greed.


Federal Reserve Released Its Non-cash Payments Fraud Report. Have Chip Cards Helped?

Many consumers prefer to pay for products and services using methods other than cash. How secure are these non-cash payment methods? The Federal Reserve Board (FRB) analyzed the payments landscape within the United States. Its October 2018 report found good and bad news. The good news: non-cash payments fraud is small. The bad news:

  • Overall, non-cash payments fraud is growing,
  • Card payments fraud drove the growth
Non-Cash Payment Activity And Fraud
Payment Type 2012 2015 Increase (Decrease)
Card payments & ATM withdrawal fraud $4 billion $6.5 billion 62.5 percent
Check fraud $1.1 billion $710 million (35) percent
Non-cash payments fraud $6.1 billion $8.3 billion 37 percent
Total Non-cash payments $161.2 trillion $180.3 trillion 12 percent

The FRB report included:

"... fraud totals and rates for payments processed over general-purpose credit and debit card networks, including non-prepaid and prepaid debit card networks, the automated clearinghouse (ACH) transfer system, and the check clearing system. These payment systems form the core of the noncash payment and settlement systems used to clear and settle everyday payments made by consumers and businesses in the United States. The fraud data were collected as part of Federal Reserve surveys of depository institutions in 2012 and 2015 and payment card networks in 2015 and 2016. The types of fraudulent payments covered in the study are those made by an unauthorized third party."

Data from the card network survey included general-purpose credit and debit (non-prepaid and prepaid) card payments, but did not include ATM withdrawals. The card networks include Visa, MasterCard, Discover and others. Additional findings:

"... the rate of card fraud, by value, was nearly flat from 2015 to 2016, with the rate of in-person card fraud decreasing notably and the rate of remote card fraud increasing significantly..."

The industry defines several categories of card fraud:

  1. "Counterfeit card. Fraud is perpetrated using an altered or cloned card;
  2. Lost or stolen card. Fraud is undertaken using a legitimate card, but without the cardholder’s consent;
  3. Card issued but not received. A newly issued card sent to a cardholder is intercepted and used to commit fraud;
  4. Fraudulent application. A new card is issued based on a fake identity or on someone else’s identity;
  5. Fraudulent use of account number. Fraud is perpetrated without using a physical card. This type of fraud is typically remote, with the card number being provided through an online web form or a mailed paper form, or given orally over the telephone; and
  6. Other. Fraud including fraud from account take-over and any other types of fraud not covered above."
Card Fraud By Category
Fraud Category 2015 2016 Increase/(Decrease)
Fraudulent use of account number $2.88 billion $3.46 billion 20 percent
Counterfeit card fraud $3.05 billion $2.62 billion (14) percent
Lost or stolen card fraud $730 million $810 million 11 percent
Fraudulent application $210 million $360 million 71 percent

The increase in fraudulent application suggests that criminals consider it easy to intercept pre-screened credit and card offers sent via postal mail. It is easy for consumers to opt out of pre-screened credit and card offers. There is also the National Do Not Call Registry. Do both today if you haven't.

The report also covered EMV chip cards, which were introduced to stop counterfeit card fraud. Card networks distributed both chip cards to consumers, and chip-reader terminals to retailers. The banking industry had set an October 1, 2015 deadline to switch to chip cards. The FRB report:

EMV Chip card fraud and payments. Federal Reserve Board. October 2018

The FRB concluded:

"Card systems brought EMV processing online, and a liability shift, beginning in October 2015, created an incentive for merchants to accept chip cards. By value, the share of non-fraudulent in-person payments made with [chip cards] shifted dramatically between 2015 and 2016, with chip-authenticated payments increasing from 3.2 percent to 26.4 percent. The share of fraudulent in-person payments made with [chip cards] also increased from 4.1 percent in 2015 to 22.8 percent in 2016. As [chip cards] are more secure, this growth in the share of fraudulent in-person chip payments may seem counter-intuitive; however, it reflects the overall increase in use. Note that in 2015, the share of fraudulent in-person payments with [chip cards] (4.1 percent) was greater than the share of non-fraudulent in-person payments with [chip cards] (3.2 percent), a relationship that reversed in 2016."


New York State Attorney General Expands Investigation Into Fraudulent 'Net Neutrality' Comments Submitted To FCC

The Attorney General (AG) for New York State has expanded its fraud investigation regarding net neutrality comments submitted to the U.S. Federal Communication Commission (FTC) website in 2017. The New York Times reported that the New York State AG has:

"... subpoenaed more than a dozen telecommunications trade groups, lobbying contractors and Washington advocacy organizations on Tuesday, seeking to determine whether the groups submitted millions of fraudulent public comments to sway a critical federal decision on internet regulation... The attorney general, Barbara D. Underwood, is investigating the source of more than 22 million public comments submitted to the F.C.C. during the battle over the regulations. Millions of comments were provided using temporary or duplicate email addresses, while others recycled identical phrases. Seven popular comments, repeated verbatim, accounted for millions more. The noise from the fake or orchestrated comments appears to have broadly favored the telecommunications industry..."

Also this month, the Center For Internet & Society reported the results of a study at Stanford University (bold emphasis added):

"In the leadup to the FCC's historic vote in December 2017 to repeal all net neutrality protections, 22 million comments were filed to the agency. But unfortunately, millions of those comments were fake. Some of the fake comment were part of sophisticated campaigns that filed fake comments using the names of real people - including journalists, Senators and dead people. The FCC did nothing to try to prevent comment stuffing and comment fraud, and even after the vote, made no attempt to help the public, journalists, policy makers actually understand what Americans actually told the FCC... This report used the 800,000 comments Kao identified as semantic standouts from form letter and fraud campaigns. These unique comments were overwhelmingly in support of keeping the 2015 Open Internet Order - in fact, 99.7% of comments opposed the repeal of net neutrality protections. This report then matched and sorted those comments to geographic areas, including the 50 states and every Congressional District..."

An investigation in 2017 by the New York State AG found that about 2 million of the comments submitted to the FCC about net neutrality "stole real Americans' identities." A follow-up investigation found that more than 9 million comments "used stolen identities."

The FCC, led by Trump appointee Ajit Pai, a former Verizon lawyer, repealed last year both broadband privacy and net neutrality protections for consumers. The FCC has ignored requests to investigate comments fraud. A December 2017 study of 1,077 voters found that most want net neutrality protections. President Trump signed the privacy-rollback legislation in April 2017. A prior blog post listed many historical abuses of consumers by some ISPs.

Some of the organizations subpoenaed by the New York State AG include (links added):

"... Broadband for America, Century Strategies, and MediaBridge. Broadband for America is a coalition supported by cable and telecommunications companies; Century Strategies is a political consultancy founded by Ralph Reed, the former director of the Christian Coalition; and MediaBridge is a conservative messaging firm..."

Reportedly, the New York AG has requested information from both groups which opposed and supported net neutrality protections. The New York AG operates a website where consumers can check for fake comments submitted to the FCC. (When you check, enter your name in quotes for a more precise search. And check the street address, since many people have the same name.) I checked. You can read my valid comment submitted to the FCC.

This whole affair is another reminder of how to attack and undermine a democracy by abusing online tools. A prior post discussed how social media has been abused.


New Phone-Based Phishing Scams Can Trick Even Experts. How You Can Avoid Getting Duped

Beware, phone scams are more sophisticated. The pitches are so slick that even some technology experts who know better were tricked into disclosing sensitive personal and payment information. Some phone scams include human callers (called "phishing"), while others include a mix of humans and computer automation (called "vishing").

The Krebs On Security blog listed several examples. Here's one:

"Matt Haughey is the creator of the community Weblog MetaFilter... Haughey banks at a small Portland credit union, and last week he got a call on his mobile phone from an 800-number that matched the number his credit union uses. Actually, he got three calls from the same number in rapid succession. He ignored the first two, letting them both go to voicemail. But he picked up on the third call, thinking it must be something urgent and important. After all, his credit union had rarely ever called him.

Haughey said he was greeted by a female voice who explained that the credit union had blocked two phony-looking charges in Ohio made to his debit/ATM card. She proceeded to then read him the last four digits of the card that was currently in his wallet. It checked out. Haughey told the lady that he would need a replacement card immediately... Without missing a beat, the caller said he could keep his card and that the credit union would simply block any future charges that weren’t made in either Oregon or California. This struck Haughey as a bit off. Why would the bank say they were freezing his card but then say they could keep it open for his upcoming trip?"

Maybe that struck you as odd, too. Against his better judgment, Haughey continued the phone call and didn't hang up. The caller knew his home address and asked him to verify his mother's maiden name, the 3-digit security code on the back of his card, and his PIN number. Those requests were more clues, too. The bank should know this information.

Like most people, Haughey thought that it was his bank trying to be helpful. Finally, he hung up and called his bank directly. That's when he learned it was a scam. His bank hadn't called.

This example provides several lessons for consumers:

  1. Scam artists are persistent. They will keep calling hoping you'll give in and answer the phone calls.
  2. Scam artists are well armed. Thanks to the recent multitude of massive corporate data breaches (like this one, this one, this one, this one, and/or this one), the bad guys have probably acquired plenty of stolen personal and payment information about consumers. Criminals also buy, sell, and trade stolen data on the dark web. Using the same technologies (e.g., artificial intelligence, open-source online tools) which the good guys use, the bad guys will "spoof" or fake valid phone numbers to pretend to be your bank or financial institution.
  3. A bit of skepticism is healthy. We've all been taught to be polite and to answer the phone when it rings. Scam artists try to exploit this habit. Experts advise consumers to hang up on robocalls. Even if the Caller ID feature on your phone displays a familiar number, hang up and call your bank or financial institution directly. Their phone number is conveniently listed on the back of your credit/debit card. Ask your bank if they called. They probably didn't.
  4. Learn how to spot robocalls acting like humans. If you're curious and have the time, ask a simple question like, "How's the weather where you live?" If the caller ignores your question or provides a canned response, like "I don't have that information" or "I'm sorry. Can you repeat that," then it's probably a robocall. Hang up.
  5. Know scam artists' pitch. It's all about money. They will pretend to be your bank, financial institution, phone company, and/or computer company. (Yes, online scammers have a profile.) Similar to phishing emails, phone scams often include a sense of urgency. They want you to act now... in the moment. Wise consumers do product research and comparison shop before making purchase decisions. The "haste makes waste" advice your parents told you as a youth still applies.

You now know more, so you won't get duped by phone scams.


FTC: How You Should Handle Robocalls. 4 Companies Settle Regarding Privacy Shield Claims

First, it seems that the number of robocalls has increased during the past two years. Some automated calls are English. Some are in other languages. All try to trick consumers into sending money or disclosing sensitive financial and payment information. Advice from the U.S. Federal Trade Commission (FTC):

Second, the FTC announced a settlement agreement with four companies:

"In separate complaints, the FTC alleges that IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law... The Department of Commerce administers the Privacy Shield framework, while the FTC enforces the promises companies make when joining the framework."

According to the lawsuits, IDmission, a cloud-based services firm, applied in 2017 for Privacy Shield certification with the U.S. Department of Commerce but never completed the necessary steps to be certified under the program. The other three companies each obtained Privacy Shield certification in 2016 but allowed their certifications to lapse. VenPath is a data analytics firm. SmartStart offers employment and background screening services. mResource provides talent management and recruitment services.

Terms of the settlement agreements prohibit all four companies from misrepresenting their participation in any privacy or data security program sponsored by the government. Also:

"... VenPath and SmartStart must also continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order."


How the Case for Voter Fraud Was Tested — and Utterly Failed

[Editor's note: today's blog post, by reporters at ProPublica, explores the results of a trial in Kansas about the state's voter-ID laws and claims of voter fraud. It is reprinted with permission.]

By Jessica Huseman, ProPublica

In the end, the decision seemed inevitable. After a seven-day trial in Kansas City federal court in March, in which Kansas Secretary of State Kris Kobach needed to be tutored on basic trial procedure by the judge and was found in contempt for his “willful failure” to obey a ruling, even he knew his chances were slim. Kobach told The Kansas City Star at the time that he expected the judge would rule against him (though he expressed optimism in his chances on appeal).

Sure enough, federal Judge Julie Robinson overturned the law that Kobach was defending as lead counsel for the state, dealing him an unalloyed defeat. The statute, championed by Kobach and signed into law in 2013, required Kansans to present proof of citizenship in order to register to vote. The American Civil Liberties Union sued, contending that the law violated the National Voter Registration Act (AKA the “motor voter” law), which was designed to make it easy to register.

The trial had a significance that extends far beyond the Jayhawk state. One of the fundamental questions in the debate over alleged voter fraud — whether a substantial number of non-citizens are in fact registering to vote — was one of two issues to be determined in the Kansas proceedings. (The second was whether there was a less burdensome solution than what Kansas had adopted.) That made the trial a telling opportunity to remove the voter fraud claims from the charged, and largely proof-free, realms of political campaigns and cable news shoutfests and examine them under the exacting strictures of the rules of evidence.

That’s precisely what occurred and according to Robinson, an appointee of George W. Bush, the proof that voter fraud is widespread was utterly lacking. As the judge put it, “the court finds no credible evidence that a substantial number of non-citizens registered to vote” even under the previous law, which Kobach had claimed was weak.

For Kobach, the trial should’ve been a moment of glory. He’s been arguing for a decade that voter fraud is a national calamity. Much of his career has been built on this issue, along with his fervent opposition to illegal immigration. (His claim is that unlawful immigrants are precisely the ones voting illegally.) Kobach, who also co-chaired the Trump administration’s short-lived commission on voter fraud, is perhaps the individual most identified with the cause of sniffing out and eradicating phony voter registration. He’s got a gilded resume, with degrees from Harvard University, Yale Law School and the University of Oxford, and is seen as both the intellect behind the cause and its prime advocate. Kobach has written voter laws in other jurisdictions and defended them in court. If anybody ever had time to marshal facts and arguments before a trial, it was Kobach.

But things didn’t go well for him in the Kansas City courtroom, as Robinson’s opinion made clear. Kobach’s strongest evidence of non-citizen registration was anemic at best: Over a 20-year period, fewer than 40 non-citizens had attempted to register in one Kansas county that had 130,000 voters. Most of those 40 improper registrations were the result of mistakes or confusion rather than intentional attempts to mislead, and only five of the 40 managed to cast a vote.

One of Kobach’s own experts even rebutted arguments made by both Kobach and President Donald Trump. The expert testified that a handful of improper registrations could not be extrapolated to conclude that 2.8 million fraudulent votes — roughly, the gap between Hillary Clinton and Trump in the popular vote tally — had been cast in the 2016 presidential election. Testimony from a second key expert for Kobach also fizzled.

As the judge’s opinion noted, Kobach insisted the meager instances of cheating revealed at trial are just “the tip of the iceberg.” As she explained, “This trial was his opportunity to produce credible evidence of that iceberg, but he failed to do so.” Dismissing the testimony by Kobach’s witnesses as unpersuasive, Robinson drew what she called “the more obvious conclusion that there is no iceberg; only an icicle largely created by confusion and administrative error.”

By the time the trial was over, Kobach, a charismatic 52-year-old whose broad shoulders and imposing height make him resemble an aging quarterback, seemed to have shrunk inside his chair at the defense table.

But despite his defeat, Kobach’s causes — restricting immigration and tightening voting requirements — seem to be enjoying favorable tides elsewhere. Recent press accounts noted Kobach’s role in restoring a question about citizenship, abandoned since 1950, to U.S. Census forms for 2020. And the Supreme Court ruled on June 11 that the state of Ohio can purge voters from its rolls when they fail to vote even a single time and don’t return a mailing verifying their address, a provision that means more voters will need to re-register and prove their eligibility again.

For his own part, Kobach is now a candidate for governor of Kansas, running neck and neck with the incumbent in polls for the Republican primary on Aug. 7. It’s not clear whether the verdict will affect his chances — or whether it will lead him and others to quietly retreat from claims of voter fraud. But the judge’s opinion and expert interviews reveal that Kobach effectively put the concept of mass voter fraud to the test — and the evidence crumbled.

Perhaps it was an omen. Before Kobach could enter the courtroom inside the Robert J. Dole U.S. Courthouse each day, he had to pass through a hallway whose walls featured a celebratory display entitled “Americans by Choice: The Story of Immigration and Citizenship in Kansas.” Photographs of people who’d been sworn in as citizens in that very courthouse were superimposed on the translucent window shades.

Public interest in the trial was high. The seating area quickly filled to capacity on the first day of trial on the frigid morning of March 6. The jury box was opened to spectators; it wouldn’t be needed, as this was a bench trial. Those who couldn’t squeeze in were sent to a lower floor, where a live feed had been prepared in a spillover room.

From the moment the trial opened, Kobach and his co-counsels in the Kansas secretary of state’s office, Sue Becker and Garrett Roe, stumbled over the most basic trial procedures. Their mistakes antagonized the judge. “Evidence 101,” Robinson snapped, only minutes into the day, after Kobach’s team attempted to improperly introduce evidence. “I’m not going to do it.”

Matters didn’t improve for Kobach from there.

Throughout the trial, his team’s repeated mishaps and botched cross examinations cost hours of the court’s time. Robinson was repeatedly forced to step into the role of law professor, guiding Kobach, Becker and Roe through courtroom procedure. “Do you know how to do the next step, if that’s what you’re going to do?” the judge asked Becker at one point, as she helped her through the steps of impeaching a witness. “We’re going to follow the rules of evidence here.”

Becker often seemed nervous. She took her bright red glasses off and on. At times she burst into nervous chuckles after a misstep. She laughed at witnesses, skirmished with the judge and even taunted the lawyers for the ACLU. “I can’t wait to ask my questions on Monday!” she shouted at the end of the first week, jabbing a finger in the direction of Dale Ho, the lead attorney for the plaintiffs. Ho rolled his eyes.

Roe was gentler — deferential, even. He often admitted he didn’t know what step came next, asking the judge for help. “I don’t — I don’t know if this one is objectionable. I hope it’s not,” he offered at one point, as he prepared to ask a question following a torrent of sustained objections. “I’ll let you know,” an attorney for the plaintiffs responded, to a wave of giggles in the courtroom. On the final day of trial, as Becker engaged in yet another dispute with the judge, Roe slapped a binder to his forehead and audibly whispered, “Stop talking. Stop talking.”

Kobach’s cross examinations were smoother and better organized, but he regularly attempted to introduce exhibits — for example, updated state statistics that he had failed to provide the ACLU in advance to vet — that Robinson ruled were inadmissible. As the trial wore on, she became increasingly irritated. She implored Kobach to “please read” the rules on which she based her rulings, saying his team had repeated these errors “ad nauseum.”

Kobach seemed unruffled. Instead of heeding her advice, he’d proffer the evidence for the record, a practice that allows the evidence to be preserved for appeal even if the trial judge refuses to admit it. Over the course of the trial, Kobach and his team would do this nearly a dozen times.

Eventually, Robinson got fed up. She asked Kobach to justify his use of proffers. Kobach, seemingly alarmed, grabbed a copy of the Federal Rules of Civil Procedure — to which he had attached a growing number of Post-it notes — and quickly flipped through it, trying to find the relevant rule.

The judge tried to help. “It’s Rule 26, of course, that’s been the basis for my rulings,” she told Kobach. “I think it would be helpful if you would just articulate under what provision of Rule 26 you think this is permissible.” Kobach seemed to play for time, asking clarifying questions rather than articulating a rationale. Finally, the judge offered mercy: a 15-minute break. Kobach’s team rushed from the courtroom.

It wasn’t enough to save him. In her opinion, Robinson described “a pattern and practice by Defendant [Kobach] of flaunting disclosure and discovery rules.” As she put it, “it is not clear to the Court whether Defendant repeatedly failed to meet his disclosure obligations intentionally or due to his unfamiliarity with the federal rules.” She ordered Kobach to attend the equivalent of after-school tutoring: six hours of extra legal education on the rules of civil procedure or the rules of evidence (and to present the court with a certificate of completion).

It’s always a bad idea for a lawyer to try the patience of a judge — and that’s doubly true during a bench trial, when the judge will decide not only the law, but also the facts. Kobach repeatedly annoyed Robinson with his procedural mistakes. But that was nothing next to what the judge viewed as Kobach’s intentional bad faith.

This view emerged in writing right after the trial — that’s when Robinson issued her ruling finding Kobach in contempt — but before the verdict. And the conduct that inspired the contempt finding had persisted over several years. Robinson concluded that Kobach had intentionally failed to follow a ruling she issued in 2016 that ordered him to restore the privileges of 17,000 suspended Kansas voters.

In her contempt ruling, the judge cited Kobach’s “history of noncompliance” with the order and characterized his explanations for not abiding by it as “nonsensical” and “disingenuous.” She wrote that she was “troubled” by Kobach’s “failure to take responsibility for violating this Court’s orders, and for failing to ensure compliance over an issue that he explicitly represented to the Court had been accomplished.” Robinson ordered Kobach to pay the ACLU’s legal fees for the contempt proceeding.

That contempt ruling was actually the second time Kobach was singled out for punishment in the case. Before the trial, a federal magistrate judge deputized to oversee the discovery portion of the suit fined him $1,000 for making “patently misleading representations” about a voting fraud document Kobach had prepared for Trump. Kobach paid the fine with a state credit card.

More than any procedural bumbling, the collapse of Kobach’s case traced back to the disintegration of a single witness.

The witness was Jesse Richman, a political scientist from Old Dominion University, who has written studies on voter fraud. For this trial, Richman was paid $5,000 by the taxpayers of Kansas to measure non-citizen registration in the state. Richman was the man who had to deliver the goods for Kobach.

With his gray-flecked beard and mustache, Richman looked the part of an academic, albeit one who seemed a bit too tall for his suit and who showed his discomfort in a series of awkward, sudden movements on the witness stand. At moments, Richman’s testimony turned combative, devolving into something resembling an episode of The Jerry Springer Show. By the time he left the stand, Richman had testified for more than five punishing hours. He’d bickered with the ACLU’s lawyer, raised his voice as he defended his studies and repeatedly sparred with the judge.

“Wait, wait, wait!” shouted Robinson at one point, silencing a verbal free-for-all that had erupted among Richman, the ACLU’s Ho, and Kobach, who were all speaking at the same time. “Especially you,” she said, turning her stare to Richman. “You are not here to be an advocate. You are not here to trash the plaintiff. And you are not here to argue with me.”

Richman had played a small but significant part in the 2016 presidential campaign. Trump and others had cited his work to claim that illegal votes had robbed Trump of the popular vote. At an October 2016 rally in Wisconsin, the candidate cited Richman’s work to bolster his predictions that the election would be rigged. “You don’t read about this, right?” Trump told the crowd, before reading from an op-ed Richman had written for The Washington Post: “‘We find that this participation was large enough to plausibly account for Democratic victories in various close elections.’ Okay? All right?”

Richman’s 2014 study of non-citizen registration used data from the Cooperative Congressional Election Study — an online survey of more than 32,000 people. Of those, fewer than 40 individuals indicated they were non-citizens registered to vote. Based on that sample, Richman concluded that up to 2.8 million illegal votes had been cast in 2008 by non-citizens. In fact, he put the illegal votes at somewhere between 38,000 and 2.8 million — a preposterously large range — and then Trump and others simply used the highest figure.

Academics pilloried Richman’s conclusions. Two hundred political scientists signed an open letter criticizing the study, saying it should “not be cited or used in any debate over fraudulent voting.” Harvard’s Stephen Ansolabehere, who administered the CCES, published his own peer-reviewed paper lambasting Richman’s work. Indeed, by the time Trump read Richman’s article onstage in 2016, The Washington Post had already appended a note to the op-ed linking to three rebuttals and a peer-reviewed study debunking the research.

None of that discouraged Kobach or Trump from repeating Richman’s conclusions. They then went a few steps further. They took the top end of the range for the 2008 election, assumed that it applied to the 2016 election, too, and further assumed that all of the fraudulent ballots had been cast for Clinton.

Some of those statements found their way into the courtroom, when Ho pressed play on a video shot by The Kansas City Star on Nov. 30, 2016. Kobach had met with Trump 10 days earlier and had brought with him a paper decrying non-citizen registration and voter fraud. Two days later, Trump tweeted that he would have won the popular vote if not for “millions of people who voted illegally.”

On the courtroom’s televisions, Kobach appeared, saying Trump’s tweet was “absolutely correct.” Without naming Richman, Kobach referred to his study: The number of non-citizens who said they’d voted in 2008 was far larger than the popular vote margin, Kobach said on the video. The same number likely voted again in 2016.

In the courtroom, Ho asked Richman if he believed his research supported such a claim. Richman stammered. He repeatedly looked at Kobach, seemingly searching for a way out. Ho persisted and finally, Richman gave his answer: “I do not believe my study provides strong support for that notion.”

To estimate the number of non-citizens voting in Kansas, Richman had used the same methodology he employed in his much-criticized 2014 study. Using samples as small as a single voter, he’d produced surveys with wildly different estimates of non-citizen registration in the state. The multiple iterations confused everyone in the courtroom.

“For the record, how many different data sources have you provided?” Robinson interjected in the middle of one Richman answer. “You provide a range of, like, zero to 18,000 or more.”

“I sense the frustration,” Richman responded, before offering a winding explanation of the multiple data sources and surveys he’d used to arrive at a half-dozen different estimates. Robinson cut him off. “Maybe we need to stop here,” she said.

“Your honor, let me finish answering your question,” he said.

“No, no. I’m done,” she responded, as he continued to protest. “No. Dr. Richman, I’m done.”

To refute Richman’s numbers, the ACLU called on Harvard’s Ansolabehere, whose data Richman had relied on in the past. Ansolabehere testified that Richman’s sample sizes were so small that it was just as possible that there were no non-citizens registered to vote in Kansas as 18,000. “There’s just a great deal of uncertainty with these estimates,” he said.

Ho asked if it would be accurate to say that Richman’s data “shows a rate of non-citizen registration in Kansas that is not statistically distinct from zero?”

“Correct.”

The judge was harsher than Ansolabehere in her description of Richman’s testimony. In her opinion, Robinson unloaded a fusillade of dismissive adjectives, calling Richman’s conclusions “confusing, inconsistent and methodologically flawed,” and adding that they were “credibly dismantled” by Ansolabehere. She labeled elements of Richman’s testimony “disingenuous” and “misleading,” and stated that she gave his research “no weight” in her decision.

One of the paradoxes of Kobach is that he has become a star in circles that focus on illegal immigration and voting fraud despite poor results in the courtroom. By ProPublica’s count, Kobach chalked up a 2–6 won-lost record in federal cases in which he was played a major role, and which reached a final disposition before the Kansas case.

Those results occurred when Kobach was an attorney for the legal arm of the Federation for American Immigration Reform from 2004 to 2011, when he became secretary of state in Kansas. In his FAIR role (in which he continued to moonlight till about 2014), Kobach traveled to places like Fremont, Nebraska, Hazleton, Pennsylvania, Farmers Branch, Texas, and Valley Park, Missouri, to help local governments write laws that attempted to hamper illegal immigration, and then defend them in court. Kobach won in Nebraska, but lost in Texas and Pennsylvania, and only a watered down version of the law remains in Missouri.

The best-known law that Kobach helped shape before joining the Kansas government in 2011 was Arizona’s “show me your papers” law. That statute allowed police to demand citizenship documents for any reason from anyone they thought might be in the country illegally. After it passed, the state paid Kobach $300 an hour to train law enforcement on how to legally arrest suspected illegal immigrants. The Supreme Court gutted key provisions of the law in 2012.

Kobach also struggled in two forays into political campaigning. In 2004, he lost a race for Congress. He also drew criticism for his stint as an informal adviser to Mitt Romney’s 2012 presidential campaign. Kobach was the man responsible for Romney’s much-maligned proposal that illegal immigrants “self-deport,” one reason Romney attracted little support among Latinos. Romney disavowed Kobach even before the campaign was over, telling media outlets that he was a “supporter,” not an adviser.

Trump’s election meant Kobach’s positions on immigration would be welcome in the White House. Kobach lobbied for, but didn’t receive, an appointment as Secretary of Homeland Security. He was, however, placed in charge of the voter fraud commission, a pet project of Trump’s. Facing a raft of lawsuits and bad publicity, the commission was disbanded little more than six months after it formally launched.

Back at home, Kobach expanded his power as secretary of state. Boasting of his experience as a law professor and scholar, Kobach convinced the state legislature to give him the authority to prosecute election crimes himself, a power wielded by no other secretary of state. In that role, he has obtained nine guilty pleas against individuals for election-related misdemeanors. Only one of those who pleaded guilty, as it happens, was a non-citizen.

He also persuaded Kansas’ attorney general to allow Kobach to represent the state in the trial of Kansas’ voting law. Kobach argued it was a bargain. As he told The Wichita Eagle at the time, “The advantage is the state gets an experienced appellate litigator who is a specialist in this field and in constitutional law for the cost the state is already paying, which is my salary.”

Kobach fared no better in the second main area of the Kansas City trial than he had in the first. This part explored whether there is a less burdensome way of identifying non-citizens than forcing everyone to show proof of citizenship upon registration. Judge Robinson would conclude that there were many alternatives that were less intrusive.

In his opening, Ho of the ACLU spotlighted a potentially less intrusive approach. Why not use the Department of Homeland Security’s Systematic Alien Verification for Entitlements System list, and compare the names on it to the Kansas voter rolls? That, Ho argued, could efficiently suss out illegal registrations.

Kobach told the judge that simply wasn’t feasible. The list, he explained, doesn’t contain all non-citizens in the country illegally — it contains only non-citizens legally present and those here illegally who register in some way with the federal government. Plus, he told Robinson, in order to really match the SAVE list against a voter roll, both datasets would have to contain alien registration numbers, the identifier given to non-citizens living in the U.S. “Those are things that a voter registration system doesn’t have,” he said. “So, the SAVE system does not work.”

But Kobach had made the opposite argument when he headed the voter fraud commission. There, he’d repeatedly advocated the use of the SAVE database. Appearing on Fox News in May 2017, shortly after the commission was established, Kobach said, “The Department of Homeland Security knows of the millions of aliens who are in the United States legally and that data that’s never been bounced against the state’s voter rolls to see whether these people are registered.” He said the federal databases “can be very valuable.”

A month later, as chief of the voting fraud commission, Kobach took steps to compare state information to the SAVE database. He sent a letter to all 50 secretaries of state requesting their voter rolls. Bipartisan outrage ensued. Democrats feared he would use the rolls to encourage states to purge legitimately registered voters. Republicans labelled the request federal overreach.

At trial, Kobach’s main expert on this point was Hans von Spakovsky, another member of the voter fraud commission. He, too, had been eager in commission meetings to match state voter rolls to the SAVE database.

But like Kobach, von Spakovsky took a different tack at trial. He testified that this database was unusable by elections offices. “In your experience and expertise as an election administrator and one who studies elections,” Kobach asked, “is [the alien registration number] a practical or even possible thing for a state to do in its voter registration database?” Von Spakovsky answered, “No, it is not.”

Von Spakovsky and Kobach have been friends for more than a decade. They worked together at the Department of Justice under George W. Bush. Kobach focused on immigration issues — helping create a database to register visitors to the U.S. from countries associated with terrorism — while von Spakovsky specialized in voting issues; he had opposed the renewal of the Voting Rights Act.

Von Spakovsky’s history as a local elections administrator in Fairfax County, Va., qualified him as an expert on voting fraud. Between 2010 and 2012, while serving as vice chairman of the county’s three-member electoral board, he’d examined the voter rolls and found what he said were 300 registered non-citizens. He’d pressed for action against them, but none came. Von Spakovsky later joined the Heritage Foundation, where he remains today, generating research that underpins the arguments of those who claim mass voter fraud.

Like Richman, von Spakovsky seemed nervous on the stand, albeit not combative. He wore wire-rimmed glasses and a severe, immovable expression. Immigration is a not-so-distant feature of his family history: His parents — Russian and German immigrants — met in a refugee camp in American-occupied Germany after World War II before moving to the U.S.

Von Spakovsky had the task of testifying about what was intended to be a key piece of evidence for Kobach’s case: a spreadsheet of 38 non-citizens who had registered to vote, or attempted to register, in a 20-year period in Sedgwick County, Kansas.

But the 38 non-citizens turned out to be something less than an electoral crime wave. For starters, some of the 38 had informed Sedgwick County that they were non-citizens. One woman had sent her registration postcard back to the county with an explanation that it was a “mistake” and that she was not a citizen. Another listed an alien registration number — which tellingly begins with an “A” — instead of a Social Security number on the voter registration form. The county registered her anyway.

When von Spakovsky took the stand, he had to contend with questions that suggested he had cherry-picked his data. (The judge would find he had.) In his expert report, von Spakovsky had referenced a 2005 report by the Government Accountability Office that polled federal courts to see how many non-citizens had been excused from jury duty for being non-citizens — a sign of fraud, because jurors are selected from voter rolls. The GAO report mentioned eight courts. Only one said it had a meaningful number of jury candidates who claimed to be non-citizens: “between 1 and 3 percent” had been dismissed on these grounds. This was the only court von Spakovsky mentioned in his expert report.

His report also cited a 2012 TV news segment from an NBC station in Fort Myers, Fla. Reporters claimed to have discovered more than 100 non-citizens on the local voter roll.

“Now, you know, Mr. von Spakovsky, don’t you, that after this NBC report there was a follow-up by the same NBC station that determined that at least 35 of those 100 individuals had documentation to prove they were, in fact, United States citizens. Correct?” Ho asked. “I am aware of that now, yes,” von Spakovsky replied.

That correction had been online since 2012 and Ho had asked von Spakovsky the same question almost two years before in a deposition before the trial. But von Spakovsky never corrected his expert report.

Under Ho’s questioning, von Spakovsky also acknowledged a false assertion he made in 2011. In a nationally syndicated column for McClatchy, von Spakovsky claimed a tight race in Missouri had been decided by the illegal votes of 50 Somali nationals. A month before the column was published, a Missouri state judge ruled that no such thing had happened.

On the stand, von Spakovsky claimed he had no knowledge of the ruling when he published the piece. He conceded that he never retracted the assertion.

Kobach, who watched the exchange without objection, had repeatedly made the same claim — even after the judge ruled it was false. In 2011, Kobach wrote a series of columns using the example as proof of the need for voter ID, publishing them in outlets ranging from the Topeka Capital-Journal to the Wall Street Journal and the Washington Post. In 2012, he made the claim in an article published in the Syracuse Law Review. In 2013, he wrote an op-ed for the Kansas City Star with the same example: “The election was stolen when Rizzo received about 50 votes illegally cast by citizens of Somalia.” None of those articles have ever been corrected.

Ultimately, Robinson would lacerate von Spakovsky’s testimony, much as she had Richman’s. Von Spakovsky’s statements, the judge wrote, were “premised on several misleading and unsupported examples” and included “false assertions.” As she put it, “His generalized opinions about the rates of noncitizen registration were likewise based on misleading evidence, and largely based on his preconceived beliefs about this issue, which has led to his aggressive public advocacy of stricter proof of citizenship laws.”

There was one other wobbly leg holding up the argument that voter fraud is rampant: the very meaning of the word “fraud.”

Kobach’s case, and the broader claim, rely on an extremely generous definition. Legal definitions of fraud require a person to knowingly be deceptive. But both Kobach and von Spakovsky characterized illegal ballots as “fraud” regardless of the intention of the voter.

Indeed, the nine convictions Kobach has obtained in Kansas are almost entirely made up of individuals who didn’t realize they were doing something wrong. For example, there were older voters who didn’t understand the restrictions and voted in multiple places they owned property. There was also a college student who’d forgotten she’d filled out an absentee ballot in her home state before voting months later in Kansas. (She voted for Trump both times.)

Late in the trial, the ACLU presented Lorraine Minnite, a professor at Rutgers who has written extensively about voter fraud, as a rebuttal witness. Her book, “The Myth of Voter Fraud,” concluded that almost all instances of illegal votes can be chalked up to misunderstandings and administrative error.

Kobach sent his co-counsel, Garrett Roe, to cross-examine her. “It’s your view that what matters is the voter’s knowledge that his or her action is unlawful?” Roe asked. “In a definition of fraud, yes,” said Minnite. Roe pressed her about this for several questions, seemingly surprised that she wouldn’t refer to all illegal voting as fraud.

Minnite stopped him. “The word ‘fraud’ has meaning, and that meaning is that there’s intent behind it. And that’s actually what Kansas laws are with respect to illegal voting,” she said. “You keep saying my definition” she said, putting finger quotes around “my.” “But, you know, it’s not like it’s a freak definition.”

Kobach had explored a similar line of inquiry with von Spakovsky, asking him if the list of 38 non-citizens he’d reviewed could be absolved of “fraud” because they may have lacked intent.

“No,” von Spakovsky replied, “I think any time a non-citizen registers, any time a non-citizen votes, they are — whether intentionally or by accident, I mean — they are defrauding legitimate citizens from a fair election.”

After Kobach concluded his questions, the judge began her own examination of von Spakovsky.

“I think it’s fair to say there’s a pretty good distinction in terms of how the two of you define fraud,” the judge said, explaining that Minnite focused on intent, while she understood von Spakovsky’s definition to include any time someone who wasn’t supposed to vote did so, regardless of reason. “Would that be a fair characterization?” she asked.

“Yes ma’am,” von Spakovsky replied.

The judge asked whether a greater number of legitimate voters would be barred from casting ballots under the law than fraudulent votes prevented. In that scenario, she asked, “Would that not also be defrauding the electoral process?” Von Spakovsky danced around the answer, asserting that one would need to answer that question in the context of the registration requirements, which he deemed reasonable.

The judge cut him off. “Well that doesn’t really answer my question,” she said, saying that she found it contradictory that he wanted to consider context when examining the burden of registration requirements, but not when examining the circumstances in which fraud was committed.

“When you’re talking about … non-citizen voting, you don’t want to consider that in context of whether that person made a mistake, whether a DMV person convinced them they should vote,” she said. Von Spakovsky allowed that not every improper voter should be prosecuted, but insisted that “each ballot they cast takes away the vote of and dilutes the vote of actual citizens who are voting. And that’s —”

The judge interrupted again. “So, the thousands of actual citizens that should be able to vote but who are not because of the system, because of this law, that’s not diluting the vote and that’s not impairing the integrity of the electoral process, I take it?” she said.

Von Spakovsky didn’t engage with the hypothetical. He simply didn’t believe it was happening. “I don’t believe that this requirement prevents individuals who are eligible to register and vote from doing so.” Later, on the stand, he’d tell Ho he couldn’t think of a single law in the country that he felt negatively impacted anyone’s ability to register or vote.

Robinson, in the end, strongly disagreed. As she wrote in her opinion, “the Court finds that the burden imposed on Kansans by this law outweighs the state’s interest in preventing noncitizen voter fraud, keeping accurate voter rolls, and maintaining confidence in elections. The burden is not just on a ‘few voters,’ but on tens of thousands of voters, many of whom were disenfranchised” by Kobach’s law. The law, she concluded, was a bigger problem than the one it set out to solve, acting as a “deterrent to registration and voting for substantially more eligible Kansans than it has prevented ineligible voters from registering to vote.”

ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.


Money Transfer Scams Target Both Businesses And Consumers

Money transfer scams, also called wire transfer scams, target both businesses and consumers. The affected firms include both small and large businesses.

Businesses

The Federal Bureau of Investigation (FBI) calls theses scams "Business E-mail Compromise" (BEC), since the fraudsters often target executives within a company with phishing e-mails, designed to trick victims into revealing sensitive bank account and sign-in credentials (e.g., usernames, passwords):

"At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception. But the level of sophistication in this multifaceted global fraud is unprecedented... Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, BEC can take a variety of forms. But in just about every case, the scammers target employees with access to company finances and trick them into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals."

From January, 2015 to February 2017, there was a 1,300 percent increase in financial losses due to these scams, totaling $3 billion. To trick victims, criminals use a variety of online methods including spear-phishing, social engineering, identity theft, e-mail spoofing, and the use of malware. (If these terms are unfamiliar, then you probably don't know enough to protect yourself.) Malware, or computer viruses, are often embedded in documents attached to e-mail messages -- another reason not to open e-mail attachments from strangers.

Forbes Magazine reported in April:

"Fraudsters target the CEO's and CFO's at various companies and hack their computers. They collect enough information to learn the types of billing the company pays, who the payee's are and the average balances paid. They then spoof a customer or, in other words, take their identity, and bill the company with wire transfer instructions to a scam bank account."

Some criminals are particularly crafty, by pretending to be a valid customer, client or vendor; and use a slightly altered sender's e-mail address hoping the victim won't to notice. This technique is successful more often that you might think. Example: a valid sender's e-mail address might be johnson@XYZcompany.com, while the scammer uses johnson@XYZcompamy.com. Did you spot the alteration? If you didn't, then you've just wired money directly to the criminal's offshore account instead of to a valid customer, client, or vendor.

Scammers can obtain executives' e-mail addresses and information from unprotected pages on social networking sites and/or data breaches. So, the data breaches at Under Armour, Equifax, Fresenius, Uber, the Chicago Board of Elections, Yahoo, Nationwide, Verizon, and others could have easily provided criminals with plenty of stolen personal data to do plenty of damage; impersonating coworkers, business associates, and/or coworkers. Much of the stolen information is resold by criminals to other criminals. Trading stolen data is what many cyber criminals do.

There are several things executives can do to protect themselves and their business' money. Learn to recognize money transfer scams and phishing e-mails. Often, bogus e-mails or text messages contain spelling errors (e.g., in the message body) and/or contain a request to wire immediately an unusually large amount of money. Most importantly, the FBI recommends:

"The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone."

That means don't rely upon text messages either.

Consumers

Wiring money is like sending cash. To avoid losing money, it is important for consumers to learn to recognize money transfer scams, too. There are several versions, according to the U.S. Federal Trade Commission (FTC):

"1. You just won a prize but you have to pay fees to get the prize
2. You need to pay for something you just bought online before they send it
3. A friend is in trouble and needs your help
4. You got a check for too much money and you need to send back the extra"

Regular readers of this blog are already familiar with #4 -- also called "check scams." Instead of paper checks, scammers have upgraded to prepaid cards and/or wire transfers. The FTC also advises consumers to pause before doing anything, and then:

  • "If the person claims (via e-mail) to need money for an emergency, call them first. Call another family member. Verify first if something truly happened.
  • If the check received is too much money, call your bank before you deposit the check.  Ask your bank what they think about wiring money back to someone.
  • If the e-mail or phone caller says you received an inheritance or prize, "you do not have to pay for a prize. Ever.  Did they say you have an inheritance? Talk to someone you trust. What does that person think?"

If you have already sent money to a scammer, it's gone and you probably won't get it back. So, file a complaint with the FTC. Chances are the scammer will contact you again, since they (or their associates) were successful already. Don't give them any more money.


Medicare Scams Still Operate. How To Avoid Getting Your Identity Information Stolen

To minimize fraud, the new Medicare cards display a unique 11-digit identification number instead of patients' Social Security numbers. However, scammers have created a new tactic to trick patients into revealing their sensitive Medicare information. The Oregon Department of Justice warned:

"If someone calls and asks you for your personal information, money to activate the new card, or threatens to cancel your Medicare benefits if you don’t share your personal information, just hang up! It is a scam," said Attorney General Ellen Rosenblum.

Medicare will not call you nor ask for your Social Security number or bank information. That's good advice for patients nationwide. Experts estimate that Medicare loses about $60 billion yearly to con artists via a variety of scams.

Oregon residents suspecting healthcare fraud or wanting to report scammers, should contact Oregon's Department of Justice’s Consumer Protection (hotline: 1-877-877-9392 or www.oregonconsumer.gov). Consumers in other states should contact their state's attorney general, and/or report suspected fraud directly to Medicare.

The video below from 2017 includes advice about how patients should protect their Medicare cards.


Connecticut And Federal Regulators Announce $1.3 Million Settlement With Substance Abuse Healthcare Provider

Connecticut and federal regulators recently announced a settlement agreement to resolve allegations that New Era Rehabilitation Center (New Era), operating in New Haven and Bridgeport, submitted false claims to both state and federal healthcare programs. The office of George Jepsen, Connecticut Attorney General, announced that New Era:

"... and its co-founders and owners – Dr. Ebenezer Kolade and Dr. Christina Kolade – are enrolled as providers in the Connecticut Medical Assistance Program (CMAP), which includes the state's Medicaid program. As part of their practice, they provide methadone treatment services for patients dealing with opioid addiction. Most of their patients are CMAP beneficiaries.

During the relevant time period, CMAP reimbursed methadone clinics by paying a weekly bundled rate that included all of the services associated with methadone maintenance, including the patient's doses of methadone; the initial intake evaluation; a physical examination; periodic drug testing; and individual, group and family drug counseling... The state and federal governments alleged that, from October 2009 to November 2013, New Era and the Kolades engaged in a pattern and practice of billing CMAP weekly for the methadone bundled service rate and then also submitting a separate claim to the CMAP for virtually every drug counseling session provided to clients by using a billing code for outpatient psychotherapy. The state and federal governments further alleged that those psychotherapy sessions were actually the drug counseling sessions already included and reimbursed through the bundled rate."

These actions were part of the State of Connecticut's Inter-agency Fraud Task Force created in 2013 to investigate and prosecute healthcare fraud. The joint investigation included the Connecticut AT's office, the office of Connecticut U.S. Attorney John H. Durham, and the U.S. Health and Human Services, Office of Inspector General – Office of Investigations.

Connecticut Fight Fraud logo Terms of the settlement agreement require NERC to pay $1,378,533 in settlement funds. Of that amount, $881,945 will be returned to CMAP.

Connecticut residents suspecting healthcare fraud or abuse should contact the Attorney General’s Antitrust and Government Program Fraud Department (phone at 860-808-5040, or email at ag.fraud@ct.gov), or the Department of Social Services fraud (hotline at 1-800-842-2155, online at www.ct.gov/dss/reportingfraud, or email at providerfraud.dss@ct.gov). Residents in other states can contact their state's attorney general's office.


New Technologies Will Soon Make It More Difficult For Consumers To Spot Fake News

We've all heard the old saying: seeing is believing. Right? Not necessarily anymore.

New technologies  will soon make it very easy for bad actors to manipulate videos of people -- politicians, law enforcement officials, celebrities, or anyone -- to say things they never said. This will cause many problems, one of which will be the increasing difficulty, or impossibility, for consumers to spoke fake news. CBS News explained:

"It starts with a selfie. Using that simple image, Hao Li, CEO of Los Angeles-based Pinscreen, can manipulate someone's face. You can literally put words in someone else's mouth. Li said it's all part of building a new virtual chat room world, but this type of advanced artificial intelligence technology is raising real eyebrows... For example, someone could take an image of President Trump and make him say something he didn't really say. Li said these kind of things are already possible in some ways. Comedian Jordan Peele used lip sync technology in a public service announcement (PSA) out Tuesday, warning against the dangers of fake news..."

Below is the PSA by Peele, which has already gotten more than 2.3 million views:

This is more confirmation that artificial intelligence is ripe for misuse by bad actors. The CBS News report also described some of the efforts by software developers to quickly create tools to spot manipulated images and video. Here's why:

"... at Pinscreen, Li said it won't take long before the line between what's real or not is erased. "It might be a year actually." "

Watch the entire CBS News report. These new image/video detection tools can't come soon enough. Consumers will need them. Journalists, military, intelligence, government watch-dog agencies, and corporate executives will need them, too. One can easily imagine bad actors using A.I. and other new technologies to create fake endorsements by celebrities of products, services, and/or politicians they really didn't endorse. What are your opinions?


Securities & Exchange Commission Charges Former Equifax Executive With Insider Trading

Last week, the U.S. Securities and Exchange Commission (SEC) charged a former Equifax executive with insider trading. While an employee, Jun Ying allegedly used confidential information to dump stock and avoid losses before Equifax announced its massive data breach in September, 2017.

The SEC announced on March 14th that it had:

"... charged a former chief information officer of a U.S. business unit of Equifax with insider trading in advance of the company’s September 2017 announcement about a massive data breach that exposed the social security numbers and other personal information of about 148 million U.S. customers... The SEC’s complaint charges Ying with violating the antifraud provisions of the federal securities laws and seeks disgorgement of ill-gotten gains plus interest, penalties, and injunctive relief... According to the SEC’s complaint, Jun Ying, who was next in line to be the company’s global CIO, allegedly used confidential information entrusted to him by the company to conclude that Equifax had suffered a serious breach. The SEC alleges that before Equifax’s public disclosure of the data breach, Ying exercised all of his vested Equifax stock options and then sold the shares, reaping proceeds of nearly $1 million. According to the complaint, by selling before public disclosure of the data breach, Ying avoided more than $117,000 in losses... The U.S. Attorney’s Office for the Northern District of Georgia today announced parallel criminal charges against Ying."

The massive data breach affected about 143 million persons. Equifax announced in March, 2018 that even more people were affected, than originally estimated in its September, 2017 announcement.

MarketWatch reported that Ying:

"... found out about the breach on Friday afternoon, August 25, 2017... The SEC complaint says that Ying’s internet browsing history shows he learned that Experian’s stock price had dropped approximately 4% after the public announcement of [a prior 2015] Experian breach. Later Monday morning, Ying exercised all of his available stock options for 6,815 shares of Equifax stock that he immediately sold for over $950,000, and a gain of over $480,000... on Aug. 30, the global CIO for Equifax officially told Ying that it was Equifax that had been breached. One of the company’s attorneys, unaware that Ying had already traded on the information, told Ying that the news about the breach was confidential, should not be shared with anyone, and that Ying should not trade in Equifax securities. According the SEC complaint, Ying did not volunteer the fact that he had exercised and sold all of his vested Equifax options two days before. Equifax finally announced the breach on Sept. 7, and Equifax common stock closed at $123.23 the next day, a drop of $19.49 or nearly 14%..."


Report: Little Progress Since 2016 To Replace Old, Vulnerable Voting Machines In United States

We've know for some time that a sizeable portion of voting machines in the United States are vulnerable to hacking and errors. Too many states, cities, and town use antiquated equipment or equipment without paper backups. The latter makes re-counts impossible.

Has any progress been made to fix the vulnerabilities? The Brennan Center For Justice (BCJ) reported:

"... despite manifold warnings about election hacking for the past two years, the country has made remarkably little progress since the 2016 election in replacing antiquated, vulnerable voting machines — and has done even less to ensure that our country can recover from a successful cyberattack against those machines."

It is important to remember this warning in January 2017 from the Director of National Intelligence (DNI):

"Russian effortsto influence the 2016 US presidential election represent the most recent expression of Moscow’s longstanding desire to undermine the US-led liberal democratic order, but these activities demonstrated a significant escalation in directness, level of activity, and scope of effort compared to previous operations. We assess Russian President Vladimir Putin ordered an influence campaign in 2016 aimed at the US presidential election. Russia’s goals were to undermine public faith in the US democratic process... Russian intelligence accessed elements of multiple state or local electoral boards. Since early 2014, Russian intelligence has researched US electoral processes and related technology and equipment. DHS assesses that the types of systems we observed Russian actors targeting or compromising are not involved in vote tallying... We assess Moscow will apply lessons learned from its Putin-ordered campaign aimed at the US presidential election to future influence efforts worldwide, including against US allies and their election processes... "

Detailed findings in the BCJ report about the lack of progress:

  1. "This year, most states will use computerized voting machines that are at least 10 years old, and which election officials say must be replaced before 2020.
    While the lifespan of any electronic voting machine varies, systems over a decade old are far more likely to need to be replaced, for both security and reliability reasons... older machines are more likely to use outdated software like Windows 2000. Using obsolete software poses serious security risks: vendors may no longer write security patches for it; jurisdictions cannot replace critical hardware that is failing because it is incompatible with their new, more secure hardware... In 2016, jurisdictions in 44 states used voting machines that were at least a decade old. Election officials in 31 of those states said they needed to replace that equipment by 2020... This year, 41 states will be using systems that are at least a decade old, and officials in 33 say they must replace their machines by 2020. In most cases, elections officials do not yet have adequate funds to do so..."
  2. "Since 2016, only one state has replaced its paperless electronic voting machines statewide.
    Security experts have long warned about the dangers of continuing to use paperless electronic voting machines. These machines do not produce a paper record that can be reviewed by the voter, and they do not allow election officials and the public to confirm electronic vote totals. Therefore, votes cast on them could be lost or changed without notice... In 2016, 14 states (Arkansas, Delaware, Georgia, Indiana, Kansas, Kentucky, Louisiana, Mississippi, New Jersey, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia) used paperless electronic machines as the primary polling place equipment in at least some counties and towns. Five of these states used paperless machines statewide. By 2018 these numbers have barely changed: 13 states will still use paperless voting machines, and 5 will continue to use such systems statewide. Only Virginia decertified and replaced all of its paperless systems..."
  3. "Only three states mandate post-election audits to provide a high-level of confidence in the accuracy of the final vote tally.
    Paper records of votes have limited value against a cyberattack if they are not used to check the accuracy of the software-generated total to confirm that the veracity of election results. In the last few years, statisticians, cybersecurity professionals, and election experts have made substantial advances in developing techniques to use post-election audits of voter verified paper records to identify a computer error or fraud that could change the outcome of a contest... Specifically, “risk limiting audits” — a process that employs statistical models to consistently provide a high level of confidence in the accuracy of the final vote tally – are now considered the “gold standard” of post-election audits by experts... Despite this fact, risk limiting audits are required in only three states: Colorado, New Mexico, and Rhode Island. While 13 state legislatures are currently considering new post-election audit bills, since the 2016 election, only one — Rhode Island — has enacted a new risk limiting audit requirement."
  4. "43 states are using machines that are no longer manufactured.
    The problem of maintaining secure and reliable voting machines is particularly challenging in the many jurisdictions that use machines models that are no longer produced. In 2015... the Brennan Center estimated that 43 states and the District of Columbia were using machines that are no longer manufactured. In 2018, that number has not changed. A primary challenge of using machines no longer manufactured is finding replacement parts and the technicians who can repair them. These difficulties make systems less reliable and secure... In a recent interview with the Brennan Center, Neal Kelley, registrar of voters for Orange County, California, explained that after years of cannibalizing old machines and hoarding spare parts, he is now forced to take systems out of service when they fail..."

That is embarrassing for a country that prides itself on having an effective democracy. According to BCJ, the solution would be for Congress to fund via grants the replacement of paperless and antiquated equipment; plus fund post-election audits.

Rather than protect the integrity of our democracy, the government passed a massive tax cut which will increase federal deficits during the coming years while pursuing both a costly military parade and an unfunded border wall. Seems like questionable priorities to me. What do you think?


2017 FTC Complaints Report: Debt Collection Tops The List. Older Consumers Better At Spotting Scams

Earlier this month,, the U.S. Federal Trade Commission (FTC) released its annual report of complaints submitted by consumers in the United States. The report is helpful is understand the most frequent types of scams and reports consumers experienced.

The latest report, titled 2017 Consumer Sentinel Network Data Book, includes complaints from 2.68 million consumers, a decrease from 2.98 million in 2016. However, consumers reported losing a total of $905 million to fraud in 2017, which is $63 million more than in 2016. The most frequent complaints were about debt collection (23 percent), identity theft (14 percent), and imposter scams (13 percent). The top 20 complaint categories:

Rank Category # Of
Reports
% Of
Reports
1 Debt Collection 608,535 22.74%
2 Identity Theft 371,061 13.87%
3 Imposter Scams 347,829 13.00%
4 Telephone & Mobile Services 149,578 5.59%
5 Banks & Lenders 149,316 5.58%
6 Prizes, Sweepstakes & Lotteries 142,870 5.34%
7 Shop-at-Home & Catalog Sales 126,387 4.72%
8 Credit Bureaus, Information
Furnishers & Report Users
107,473 4.02%
9 Auto Related 86,289 3.23%
10 Television and Electronic Media 47,456 1.77%
11 Credit Cards 45,428 1.70%
12 Internet Services 45,093 1.69%
13 Foreign Money Offers &
Counterfeit Check Scams
31,980 1.20%
14 Health Care 27,660 1.03%
15 Travel, Vacations &
Timeshare Plans
22,264 0.83%
16 Business & Job Opportunities 19,082 0.71%
17 Advance Payments for
Credit Services
17,762 0.66%
18 Investment Related 15,079 0.56%
19 Computer Equipment
& Software
9,762 0.36%
20 Mortgage Foreclosure Relief
& Debt Management
8,973 0.34%

While the median loss for all fraud reports in 2017 was $429, consumers reported larger losses in certain types of scams: travel, vacations and timeshare plans ($1,710); mortgage foreclosure relief and debt management ($1,200); and business/job opportunities ($1,063).

The telephone was the most frequently-reported method (70 percent) scammers used to contact consumers, and  wire transfers was the most frequently-reported payment method for fraud ($333 million in losses reported). Also:

"The states with the highest per capita rates of fraud reports in 2017 were Florida, Georgia, Nevada, Delaware, and Michigan. For identity theft, the top states in 2017 were Michigan, Florida, California, Maryland, and Nevada."

What's new in this report is that it details financial losses by age group. The FTC report concluded:

"Consumers in their twenties reported losing money to fraud more often than those over age 70. For example, among people aged 20-29 who reported fraud, 40 percent indicated they lost money. In comparison, just 18 percent of those 70 and older who reported fraud indicated they lost any money. However, when these older adults did report losing money to a scammer, the median amount lost was greater. The median reported loss for people age 80 and older was $1,092 compared to $400 for those aged 20-29."

Detailed information supporting this conclusion:

2017 FTC Consumer Sentinel complaints report. Reports and losses by age group. Click to view larger image

2017 FTC Consumer Sentinel complaints report. Median losses by age group. Click to view larger image

The second chart is key. Twice as many younger consumers (40 percent, ages 20 - 29) reported fraud losses compared to 18 percent of consumers ages 70 and older. At the same time, those older consumers lost more money. So, older consumers were more skilled at spotting scams and few fell victim to scams. It seems both groups could learn from each other.

CBS News interviewed a millennial who fell victim to a mystery-shopper scam, which seemed to be a slick version of the old check scam. It seems wise for all consumers, regardless of age, to maintain awareness about the types of scams. Pick a news source or blog you trust. Hopefully, this blog.

Below is a graphic summarizing the 2017 FTC report:

Ftc-complaints-report-2017


Mystery Package Scam Operating on Amazon Site. What It Is, The Implications, And Advice For Victims

Amazon logo Last fall, a couple living in a Boston suburb started receiving packages they didn't order from Amazon, the popular online retailer. The Boston Globe reported that the couple living in Acton, Massachusetts:

"... contacted Amazon, only to be told that the merchandise was paid for with a gift card. No sender’s name, no address. While they’ve never been charged for anything, they fear they are being used in a scam... The first package from Amazon landed on Mike and Kelly Gallivan’s front porch in October. And they have continued to arrive, packed with plastic fans, phone chargers, and other cheap stuff, at a rate of one or two a week."

The packages were delivered to the intended recipient. Nobody knows who sent the items: wireless chargers, a high-intensity flashlight, a Bluetooth speaker, a computer vacuum cleaner, LED tent lamps, USB cables, and more. After receiving 25 packages since October, the couple now wants it to stop. What seemed funny at first, is now a nuisance.

The Gallivans are not alone. CBC News reported that students at several universities in Canada have also received mystery packages containing a variety of items they didn't order:

"The items come in Amazon packaging, but there's no indication who's ordering the goods from the online retail giant. "We're definitely confused by it," said Shawn Wiskar, University of Regina Students' Union vice-president of student affairs. His student union has received about 15 anonymous packages from Amazon since late November, many of which contained multiple items. Products sent so far include iPad cases, a kitchen scale and a "fleshlight" — a male sex toy in the shape of a flashlight... Six other university student unions — Dalhousie in Halifax; St. Francis Xavier in Antigonish (Nova Scotia); Ryerson in Toronto; Wilfrid Laurier in Waterloo, Ontario; Royal Roads in Victoria; and the University of Manitoba in Winnipeg — have also confirmed that they've been receiving mysterious Amazon packages since the fall."

Experts speculate that the mystery packages were sent by fraudsters trying to game the retailer's review system. Consumers buy products on Amazon.com either directly from the retailer or from independent sellers listed on the site. The Boston Globe explained:

"Here’s how two experts who used to work for Amazon, James Thomson and Chris McCabe, say it probably works: A seller trying to prop up a product would set up a phony e-mail account that would be used to establish an Amazon account. Then the seller would purchase merchandise with a gift card — no identifying information there — and send it to a random person, in this case the Gallivans. Then, the phantom seller, who controls the “buyer’s” e-mail account, writes glowing reviews of the product, thus boosting the Amazon ranking of the product."

If true, then there probably are a significant number of bogus reviews on the Amazon site. The Boston Globe's news item also suggested that a data breach within a seller's firm might have provided scammers with valid mailing addresses:

"How did Mike, to whom the packages are addressed, get drawn into this? On occasion he’s ordered stuff on Amazon and received it directly from a manufacturer, once from China. That manufacturer or some affiliate may have scooped Mike’s name and address."

If true, then that highlights the downside of offshore outsourcing, where other countries don't mandate data breach disclosures. Earlier in 2017, a resident of Queens in New York City received packages with products she didn't order:

"... All she knows is that the sender is some guy named Kevin who uses Amazon gift cards... And she’s reported the packages to the NYPD, the FBI and the Better Business Bureau since Amazon hasn’t made the deliveries stop."

In that news report, a security expert speculated that criminals were testing stolen debit- and gift-card numbers. Did a seller have a data breach which went unreported? Lots of questions and few answers.

Security experts advise consumers to report packages they didn't order to various law enforcement and agencies, as the Queens resident did. Ultimately, her deliveries stopped, but not for the Gallivans.

Amazon has been unable to identify the perpetrators. At press time, a search of Amazon's Help and Customer Service site section failed to find content helping consumers victimized by this scam.

Perhaps, it is time for law enforcement and the U.S. Federal Trade Commission to step in. Regardless, we consumers will probably hear more news in the future about this scam.


Net Neutrality: Massachusetts Joins Multi-State Lawsuit Against FCC. What Next?

The Attorney General (AG) for the Commonwealth of Massachusetts is suing the U.S. Federal Communications Commission (FCC) after the FCC voted on December 14th to repeal existing net neutrality rules protecting consumers. Maura Healey, the Massachusetts AG, announced that her office has joined a multi-state lawsuit with the New York State AG:

"... joined New York Attorney General Eric T. Schneiderman in announcing that they will be filing a multi-state lawsuit against the Federal Communications Commission (FCC) over its vote to rollback net neutrality protections...The FCC recently issued a proposed final order rolling back net neutrality protections and on December 14th, voted 3-2 on party lines to implement the final order. On December 13th, AG Healey joined a coalition of 18 attorneys general in sending a letter to the FCC after reports emerged that nearly two million comments submitted in support of the agency were fake."

AG Healey said about the multi-state lawsuit:

"With the FCC vote, Americans will pay more for the internet and will have fewer options... The agency has completely failed to justify this decision and we will be suing to stand up for the free exchange of ideas and to keep the American people in control of internet access."

The December 13th letter to the FCC about fake comments was signed by AGs from California, District of Columbia, Delaware, Hawaii, Iowa, Illinois, Kentucky, Massachusetts, Maryland, Maine, Mississippi, North Carolina, Oregon, Pennsylvania, Rhode Island, Virginia, Vermont, and Washington. The AGs' letter stated, in part:

"One of the most important roles that we perform is to prosecute fraud. It is a role we take extremely seriously, and one that is essential to a fair marketplace... The ‘Restore Internet Freedom’ proposal, also known as net neutrality rollback (WC Docket No. 17- 108) has far-reaching implications for the everyday life of Americans... Recent attempts by New York Attorney General Schneiderman to investigate supposed comments received by the FCC have revealed a pattern of facts that should raise alarm bells for every American about the integrity of the democratic process. A careful review of the publicly available information revealed a pattern of fake submissions using the names of real people. In fact, there may be over one million fake submissions from across the country. This is akin to identity theft on a massive scale – and theft of someone’s voice in a democracy is particularly concerning.

As state Attorneys General, many of our offices have received complaints from consumers indicating their distress over their names being used in such a manner. While we will investigate these consumer complaints through our normal processes, we urge the Commission to take immediate action and to cooperate with law enforcement investigations. Woven throughout the Administrative Procedures Act is a duty for rulemakers to provide information to the public and to listen to the public. We know from advising our rulemakers at the state level that listening to the public provides insights from a diversity of viewpoints. But, if the well of public comment has been poisoned by falsified submissions, the Commission may be unable to rely on public comments that would help it reach a legitimate conclusion to the rulemaking process. Or, it must give less weight to the public comments submitted which also undermines the process..."

The FCC ignored the AGs' joint letter about fraud and proceeded with its net-neutrality vote on December 14. FCC Chairman Ajit Pai had blown off the identity theft and fraud charges as maneuvers by desperate net neutrality advocates.

California AG Xavier Becerra said:

"... the FCC failed to do what is right... The FCC decided that consumers do not deserve free, open, and equal access to the internet. It decided to ignore the millions of Americans who voiced their strong support for our existing net neutrality rules. Here in California – a state that is home to countless start-ups and technology giants alike – we know that a handful of powerful companies should not dictate the sources for the information we seek..."

Residents in some states can use special sites to notify their state's AG about the misuse of their identity data in fake comments submitted to the FCC: Pennsylvania, New York.

The FCC under Chairman Pai seems to listen and respond to the needs of corporate internet service providers (ISPs), and not to consumers. A November 21 - 25 poll found that 52 percent of registered voters support the current rules, including 55 percent of Democrats and 53 percent of Republicans.

While that is down from prior polls, a majority support net neutrality rules. A poll by Mozilla and Ipsos in June, 2017 found overwhelming support across party lines: 76% of Americans, 81% of Democrats, and 73% of Republicans favor keeping net neutrality rules. The poll included approximately 1,000 American adults across the U.S. with 354 Democrats, 344 Republicans, and 224 Independents.

Before the FCC affirmed net neutrality rules in 2015, a poll by the Center for Political Communication at the University of Delaware in 2014 found strong and widespread support:

"... About 81 percent of Americans oppose allowing Internet providers like Comcast and Verizon to charge Web sites and services more if they want to reach customers more quickly... Republicans were slightly more likely to support net neutrality than Democrats. 81 percent of Democrats and 85 percent of Republicans in the survey said they opposed fast lanes."

Experts have debated the various ways of moving forward after the December 14th FCC vote. Wired reported:

"Most immediately, the activity will move to the courts... The most likely argument: that the commission’s decision violates federal laws barring agencies from crafting “arbitrary and capricious” regulations. After all, the FCC’s net neutrality rules were just passed in 2015... as capricious as the current FCC's about-face may seem, legal experts say the challenges won’t be a slam-dunk case. Federal agencies are allowed to change their minds about previous regulations, so long as they adequately explain their reasoning... The FCC's main argument for revoking the 2015 rules is that the regulations hurt investment in broadband infrastructure. But, as WIRED recently detailed, many broadband providers actually increased their investments, while those that cut back on spending told shareholders that the net neutrality rules didn't affect their plans. University of Pennsylvania Law School professor Christopher Yoo says courts generally defer to an agency's expertise in interpreting evidence submitted into the record... net neutrality advocates could also argue that the agency's decision-making process was corrupted by the flood of fake comments left by bots. But FCC Chair AJit Pai will argue that the agency discarded low-quality and repeated comments and focused only on matters of substance... A long-term solution to net neutrality will require Congress to pass laws that won't change every time control of the White House passes to another party... Senator John Thune (R-South Dakota) recently called for Congress to pass bipartisan net neutrality legislation. In 2015, Thune and Representative Fred Upton (R-Michigan) introduced a bill that would have banned blocking or slowing legal content, but limited the FCC's authority over internet service providers. It never moved forward. Thune is clearly hoping that growing demand from the public for net neutrality protections will bring more Republicans to the table... Senator Ron Wyden (D-Oregon) told WIRED earlier this year that he won't support a bill with weaker protections than the 2015 rules..."

President Trump appointed Pai as FCC Chairman in January, giving the Republican commissioners at the FCC a voting majority. Neither the President nor the White House staff said anything in its daily e-mail blast or in their website about the FCC vote; and instead discussed tax reform, general remarks about reducing regulation, and infrastructure (e.g., roads, bridges, tunnels).

Seems to me the internet is a key component of our country's infrastructure. What are your opinions? If your state isn't in the above list, we'd like to hear from you, too.