An east-central Kansas hospital lied to the federal government so it would receive millions in incentive payments for using technology meant to better patient care, according to a 2016 federal whistleblower lawsuit unsealed late last month.
Coffey Health System told the Medicare and Medicaid programs that it was in compliance with security standards meant to ensure the privacy and security of patient information on an electronic health records system — when it actually wasn’t, the lawsuit alleges.
A basic security test revealed the hospital used a shared firewall, meaning anyone could access private patient records “simply by logging in to Coffey’s website through its IP address at the local schools or libraries,” the lawsuit says.
Coffey Health System also gave the government data that didn’t come from the source it claimed it had, according to the lawsuit.
As a result of the fraud, the hospital collected at least $3 million in incentives it didn’t deserve, the lawsuit contends.
The U.S. Department of Justice last week announced that Coffey Health System agreed to settle the case for $250,000, a portion of the $2.2 million in incentives it received in 2012 and 2013.
Wichita attorney Gary Ayers said the Burlington-based health care organization decided to settle to avoid the expense of ongoing litigation — not because it did anything wrong.
He said the case involved “complicated health care regulations regarding how to move from paper records to electronic records” and had nothing to do with patient care.
“The Hospital has denied any wrongdoing, and has maintained that it properly implemented its electronic health record system, and correctly documented it,” Ayers said in a written statement.
“Nevertheless, the Hospital decided to settle the lawsuit rather than continue the litigation with the government because of the additional attorney’s fees and the risk of an unfavorable outcome, which is always possible in litigation.”
Ayers said the hospital also was concerned a court battle would “distract staff from their primary mission” of providing “outstanding patient care.” Coffey Health System operates the Coffey County Hospital, a home health agency, five physician clinics and two long-term care facilities. It employs about 300 people.
Coffey Health System is supposed to pay the first $50,000 of the settlement by June 30, according to court documents. The balance will be paid in installments through June 2022, the settlement agreement says.
“Medicare and Medicaid beneficiaries expect that providers ensure the accuracy and security of their electronic health records,” U.S. Attorney Stephen McAllister said in a news release announcing the settlement. “This office remains committed to protecting the federal health programs and to hold accountable those whose conduct results in improper payments.”
Coffey Health System’s former Chief Information Officer Bashar Sean Awad and its former corporate compliance officer and grant writer, Cynthia McKerrigan, filed the lawsuit under the whistleblower provision of the federal False Claims Act, which prohibits fraud on the government. The case was unsealed by a federal judge in Kansas on May 24, according to court records.
As whistleblowers, the pair will receive a fifth of the settlement amount — $50,000.
The incentives at the center of the lawsuit were offered by the U.S. Department of Health and Human Services to healthcare providers who proved they used electronic health records systems in meaningful, measurable ways, such as providing prescriptions or recording patient vital signs electronically instead of on paper. The goal was to make health care safer and more efficient, improve coordination and reduce health disparities.
The Electronic Health Records Incentive Program was established as part of the American Recovery and Reinvestment Act of 2009. Coffey Health System registered for it in 2011.
But according to the whistleblower lawsuit, Coffey Health System lied about being in compliance with the security risk standards starting in 2011 or 2012 to at least 2016. It also claimed data it had to submit to get the incentives was “captured and exported” from its electronic health records when it actually was entered manually, the lawsuit says.
After discovering Coffey Health System hadn’t been truthful, Awad conducted basic network security tests and found that the organization shared a firewall with other organizations, according to the lawsuit.
“Anyone could access Coffey’s private patient records simply by logging in to Coffey’s website through its IP address at the local schools or libraries, without any usernames or passwords,” the lawsuit says.
A company he later asked to assess Coffey Health System’s security risk found dozens of vulnerabilities, many of them critical or serious.
According to the lawsuit, Coffey Health System ignored most of the deficiencies and lied to the government about being in compliance with security standards so it could receive more incentive money.
The data it submitted was supposed to be generated by the electronic patient information system. But instead Coffey Health System “manually generated (it) with the intention of misleading CMS,” the lawsuit said.
Had the organization been truthful, “Coffey would have never received the at least $3 million in incentive payments that it did,” the lawsuit says.
The case is at least the second of its kind to settle in recent weeks.
On Friday, the U.S. Department of Justice also announced that well-known Wichita cardiologist Joseph Galichia agreed to pay $5.8 million to settle accusations that he and his medical group billed Medicare and other federal health care programs for heart procedures his patients didn’t need. Galichia denied the allegations, saying in a written statement that fighting the seven-year-old lawsuit was costly and draining on his time and energy.