The invisible thief: Navigating the new era of health care fraud

In an age where digital convenience is king, health care providers are finding themselves in a high-stakes balancing act between modernizing patient payments and defending against increasingly sophisticated fraud. In 2018, $3.6 trillion was spent on health care in the United States, and while fraudulent claims constitute only a small fraction of total billing, they carry a staggering price tag. Estimates suggest the U.S. loses tens of billions of dollars annually, with some government agencies placing the figure as high as 10% of annual expenditures—exceeding $300 billion.

According to Stephanie O'Connor, director of merchant experience at Wind River Payments, many practices are falling into a common trap. “Many businesses focus on how much they're paying to accept payments, but really they should be focusing on, what are they doing to ensure that those costs are as low as possible by preventing fraud,” she says.

The modern vulnerability: Payment processing fraud

The shift toward digital and alternative payment channels, accelerated by the COVID-19 pandemic, opened new doors for bad actors. While patients now enjoy the convenience of 24/7 online portals, these same tools can leave a business susceptible to specific types of payment fraud if not properly protected.

O'Connor notes that many practices "turned on" these channels quickly to meet patient demand without considering the necessary protections. This has led to the rise of two specific threats:

• Card Testing: This occurs when fraudsters use a practice’s website or payment portal as a "vehicle" to validate stolen credit card information. They may hit a site hundreds or thousands of times in minutes to see which cards are legitimate. As O'Connor says, “It's expensive... that can add up very quickly for a business, and you're left with that expense.” Often, these attacks involve cards with foreign bank identification numbers, though the source of the fraud ring is rarely identifiable.
• "Friendly" Fraud: This often stems from patient confusion over co-pays or services rendered, leading them to file a chargeback. O'Connor notes that in the health care space, this often manifests as claims for “services not rendered,” particularly in telemedicine where expectations may differ from in-person visits.

Protecting the patient experience via AI

A major concern for physicians is whether robust security will frustrate patients. O'Connor insists this shouldn't be the case. “You, as a business owner, should not have to compromise your patient experience to protect your business against fraud,” she says.

Instead of outdated hurdles like complex CAPTCHAs—which even experts find frustrating—modern practices are turning to Artificial Intelligence. AI can perform identity validation behind the scenes by analyzing multiple data points in real-time.

O'Connor's advice for the coming year is clear: “If you haven't looked at AI, 2026 is the year to use that type of technology to protect your business from fraud.”

Spidey senses: Red flags at the front desk

While technology handles the digital gates, front-office staff remain a vital line of defense. O'Connor recommends training staff to trust their "spidey senses" when certain red flags appear:

1. Rushed Transactions: Be wary of any patient or caller who attempts to rush the payment experience or refuses to provide related data.
2. Multiple Card Declines: While one decline is common, multiple declines across several cards are a major warning sign.
3. The Refund Scam: A recent trend involves individuals calling to claim they made a payment and then requesting a refund to a different credit card. O'Connor says that it is best practice to never refund on a different card unless absolutely necessary.

Widening the lens: A system under attack

Payment processing is just one facet of a much larger problem. Most health care fraud is committed by a small number of providers through fraudulent billing schemes. These schemes often exploit the trust patients place in their doctors and can be difficult to detect because they are spread across multiple insurers.

Experts identify several persistent schemes used to siphon funds from the system:

• Upcoding: Intentionally submitting an incorrect medical code for a higher level of service than what was rendered. For example, a hospital might bill for an expensive brand-name drug while administering a generic version.
• Unbundling: Increasing profits by billing separately for components of a procedure that should be covered by a single "bundled" code, such as billing for the incision and closure of an appendectomy as separate acts.
• Double Billing: Charging multiple parties (like the government and a private insurer) for the same service, or billing the same party twice by slightly altering dates or descriptions.
• Billing for Fictitious Services: Claiming reimbursement for services never rendered. This often involves "ghost patients" created through medical identity theft.
• Non-Covered Services: Misrepresenting a non-covered treatment (like a cosmetic "nose job") as a medically necessary one (like a deviated septum repair) to secure insurance payment.

Medical identity theft

More than 2 million Americans have been victims of medical identity theft. This can result in erroneous information being added to a patient’s medical record, potentially leading to the wrong medical treatment or making the victim uninsurable for life insurance. Victims may even fail physical exams for employment because of undocumented "phantom" diseases in their history.

Most alarmingly, greed can lead to physical harm. Some perpetrators deliberately subject patients to unnecessary or dangerous procedures to generate payments.

• In 2015, an Ohio cardiologist received 20 years in prison for performing unnecessary catheterizations and heart surgeries.
• In 2019, a Virginia OB/GYN was accused of performing unnecessary hysterectomies and removing ovaries and fallopian tubes without medical cause.

The federal response: Stiff penalties

The federal response is intensifying. In June 2025, the Department of Justice launched its largest-ever crackdown, charging 324 defendants for over $14.6 billion in alleged fraud. The takedown involved 96 licensed medical professionals and was supported by AI analytics and cross-border arrests.

Under HIPAA, health care fraud is a federal crime. The basic offense carries a 10-year prison sentence, which can increase to 20 years if a patient is injured, and a life sentence if the fraud results in a patient's death.

The future of reform: Licensing medical billers

As the industry searches for solutions, some experts are calling for the licensing of medical billers. Currently, medical billers—the frontline personnel who process claims—are not required to be licensed in any state.

Olga Khabinskay, Director of Operations at WCH Service Bureau, argues that professionalizing this workforce could close critical gaps. “The biller’s role is a critical checkpoint,” she says, yet because they lack standardized training, their ability to spot fraud varies wildly.

Licensing could offer several benefits:

• Accountability: Billers would be bound by a code of ethics and subject to disciplinary action.
• Professional Standards: It would introduce mandatory training in fraud detection and standardized coding.
• Empowerment: Licensed billers might feel more empowered to refuse improper coding requests from employers.
• Revenue Generation: Licensing fees could generate billions to fund oversight and fraud prevention programs.

A call to action for 2026

As we move into 2026, the consensus among experts is that a "wait and see" approach is no longer viable. “Don’t wait for the newest fraud trend to hit the marketplace or for it to become a problem before you address it in your business,” O'Connor says.

Key Recommendations for Practices:

1. Conduct Regular Audits: Always compare bills with corresponding medical records before submission to ensure accuracy and detect upcoding or unbundling.
2. Vet Your Partners: Ask your payment processor specifically what types of fraud they protect against—card testing, chargebacks, or both.
3. Review the EOB: Encourage patients to review their Explanation of Benefits notices; they are often the first to notice unrecognized charges.
4. Embrace AI: If you haven't integrated AI into your payment and billing systems, prioritize it for the coming year to provide "invisible" protection that doesn't ruin the patient experience.
5. Protect Identity: Treat health insurance ID cards like credit cards. Losing one is essentially a "license to steal" for identity thieves.

By integrating advanced technology, fostering professional accountability, and maintaining a culture of vigilance, health care providers can protect their revenue and, most importantly, the integrity of the care they provide to their patients.