Death Fraud

“Grandma! What big sunglasses you have!” In the fuzzy photo shown below, taken with a security camera at a department of motor vehicles’ office in New York City, the elderly woman is actually a man impersonating his deceased mother. Thomas Parkin (shown in a wig and big sunglasses) defrauded the U.S. government out of more than $100,000 by stealing his mother’s identity after she died. Parkin’s accomplice, the man to the right in the photo, posed as a helpful nephew.

Parkin committed the fraud by giving his mother’s funeral home an incorrect date of birth and Social Security number (SSN) for her and then using the actual identification numbers to steal her monthly $700 Social Security benefits and rent subsidies.¹

Death can be big business for fraudsters. Imagine the societal consequences if theft of decedents’ identities becomes mainstream. A caregiver, entrusted with financial oversight for an ailing loved one or client, could obtain and use that person’s identification for illicit purposes. Or a physician could use a deceased physician’s SSN and then bill insurance companies for services never rendered to the decedent’s former patients.

These actual cases, playing out across the globe, often remain under the radar until it’s too late and damage has been done. Using a decedent’s SSN is really nothing more than an emerging form of identity theft.

In this article, we’ll:
• Describe identity theft in its native forms
• Explain the concept of death fraud and introduce the Social Security Administration’s (SSA) Death Master File (DMF)
• Explore the evolution of death fraud
• Propose proactive measures to employ in your practice and to suggest to your clients for their protection

DEFINING IDENTITY FRAUD 

You’re probably aware of identity theft, but you might not be aware that effective Nov. 1, 2008, the U.S. Federal Trade Commission (FTC) and several other federal agencies now require financial institutions and creditors to have identity theft prevention programs in place to help prevent, detect, and mitigate identity theft occurrences – primarily when the accounts are opened but also for the duration.² This is just one reason why understanding identity theft risk involving decedents is more critical than ever.

Identity theft, in broad terms, is the unauthorized and illicit use of another person’s personal identification information – typically an SSN or driver’s license – for the impostor’s personal gain.

In the United States, it’s unlawful for any person to:
1. Knowingly and without lawful authority produce an identification document, authentication feature, or a false identification document
2. Knowingly transfer an identification document, authentication feature, or a false identification document knowing that such document or feature was stolen or produced without lawful authority
3. Knowingly possess with intent to use unlawfully or transfer unlawfully five or more identification documents (other than those issued lawfully for the use of the possessor), authentication features, or false identification documents
4. Knowingly possess an identification document (other than one issued lawfully for the use of the possessor), authentication feature, or a false identification document with the intent for such document or feature be used to defraud the United States³

The third and fourth prongs give the law teeth in that unauthorized possession of another person’s identifying information, or fraudulent information, with intent to either use it personally or to transfer it to another party for unlawful purposes (including intent to defraud the United States) is a crime. While this language gives prosecutors additional tools to obtain a conviction, they also must prove one’s intent, which is never as clear as it might seem.

Keep in mind that identity theft and its attendant risk can’t realistically be legislated out of existence, but it’s an exposure that can, with regulatory support, be managed. In the past 12 years we’ve seen many legislative deterrents to identity theft including:
• The Identity Theft and Assumption Deterrence Act, which was effective Oct. 30, 1998. It makes identity theft a federal crime with penalties up to 15 years of imprisonment and a maximum fine of $250,000.
• The Gramm Leach Bliley (GLB) Act of 1999 makes it mandatory for any financial institution to assign one person to safeguard the security and confidentiality of personal information held at the institution. In addition, the GLB act “… prohibits ‘pretexting,’ the use of false pretenses, including fraudulent statements and impersonation, to obtain consumers’ personal financial information, such as bank balances.”⁴
• The Identity Theft Penalty Enhancement Act of 2004 added two years to the identity theft perpetrator’s prison sentence, and five years if the crime involved terrorist activities.

DEATH FRAUD 

Death fraud, at its roots, is simply a new spin on an old scam. As we continue to discover and enjoy technological advances, personal data theft will only become more prevalent. And identity theft against folks who are unable to speak for themselves threatens to increase in such a data-driven environment.

There are two common strategies to illegally obtain personal information, each of which presents its own problems. In the first scenario, a trusted friend or loved one gains access to another’s SSN. In the second scenario, which is growing in popularity, the perpetrator obtains a decedent’s SSN from discarded documents, databases, health claim files, or even the SSA’s Death Master File (DMF). The DMF is a central database that contains more than 84 million records on deceased U.S. citizens. Each entry includes the person’s SSN, full name, date of birth, date of death, and city/state.

Because decedents obviously aren’t able to detect or protest the unauthorized use of their identification credentials, the responsibility falls to their executors, surviving family members, or other interested parties, if there are any. Anti-fraud professionals should help the general public understand that vigilance over one’s identity doesn’t end when a person enters into a guardianship arrangement or even with one’s last breath.

Fraudsters have long known about stealing the identities of deceased or incompetent individuals to commit fraud. What makes this topic hotter than ever is that data can be sold and distributed quickly, and SSNs of the dead are more readily available than SSNs of the living (and absent the use of the DMF or similar tool, they are less likely to be detected). Collecting payments intended for the dead or in the name of the deceased is big business that touches several sectors of the economy including health care, life insurance, investments, retirement benefits, and others.

Among the incarnations of death fraud, Social Security fraud – using a deceased person’s SSN to obtain their Social Security benefits – will be examined first, after we address in detail the DMF.

DEATH MASTER FILE 

The SSA created the DMF in 1980 following a private citizen’s lawsuit via the Freedom of Information Act.⁵ The database’s purpose is to help prevent payments of SSA benefits to deceased parties. For a fee, users can either search individual names online at www.ssdmf.com, or they can purchase the entire database and run their queries. The SSA maintains this comprehensive database in conjunction with the National Technical Information Service branch of the Department of Commerce. The SSA keeps the database current by purchasing death certificate information from state governments and gathering death notifications from funeral homes and friends and family of the deceased.

Here’s the catch: The DMF is both an anti-fraud weapon and a point of vulnerability. Current legislation – including the USA PATRIOT Act of 2001 and the FTC’s mandate to implement identity theft prevention programs – has made the DMF an invaluable fraud-fighting tool. The PATRIOT Act made it mandatory for government entities to ensure their customers weren’t on terrorist watch lists, which made identity verification a hallmark in the fight against terrorism. It remains to be seen how the FTC’s mandate will be incorporated into businesses, but one anticipated effect is that DMF usage will be incorporated into companies’ anti-fraud programs. However, in the wrong hands, the DMF could be used for illicit purposes.

How should you use the DMF to fight fraud? First, you need to know how to mine the data for usable information. The DMF is an immense “batch” file that doesn’t accommodate data transfers into off-the-shelf spreadsheet or database analysis programs such as Microsoft Excel or Microsoft Access. If you purchase access to the 84-plus million records, you need to be able to manipulate the data. Analysts who cross-reference this file on a daily basis use large databases, such as SAS or Oracle, to crunch the numbers. However, the DMF is a powerful tool in the fight against fraud because you can use it to prevent or retroactively uncover manifestations of death fraud.

MANIFESTATIONS OF DEATH FRAUD 

Social Security Fraud
In a macabre case of Social Security fraud out of Florida, a woman named Penelope Jordan hid her dead mother’s body in a back room of their home for six years while she collected $40,000 annually in Social Security benefits intended for her mother.

Surviving and former spouses of a decedent are entitled to survivor benefits if the deceased was receiving Social Security benefits. Widow(er)s of deceased Social Security beneficiaries are eligible to receive either the deceased’s Social Security payouts or their own payouts – whichever amount is greater. Jordan clearly violated the law by failing to report her mother’s death to the SSA, which would have resulted in benefit cessation. She was prosecuted under 42 U.S.C. § 408(a)(1)-(8), which sets forth penalties for felony fraud violations under Title II of the Social Security Act.

The SSA’s first line of defense to prevent such schemes might be to cross-reference all outgoing benefit payments with the DMF. A second line of defense might be to retroactively compare Social Security payments after an individual’s date of death and pursue recoveries. Employing preventive measures, of course, would save time involved in chasing recoveries on the back end. This also minimizes the overall cost of potential fraud.

Social Security benefits that are handled by representative payees (rep payees) are particularly vulnerable to fraud, waste, and abuse. Rep payees are typically benefit recipients’ friends or family members who collect benefit payments on behalf of individuals unable to manage their financial affairs for various reasons. When family or friends can’t assume this role, others – usually professional conservators – serve as the rep payees for these beneficiaries. It’s easy to see how fraud can occur under these circumstances.

Tax Refund Fraud: Part I
In 2007, a large local government tax refund fraud was exposed in Washington, D.C., Harriette Walters, the former manager of tax refunds for the District of Columbia, bilked the D.C. government out of an estimated $48 million in fraudulent tax refunds over 20 years. The fraudulent tax refund checks were deposited into sham corporate accounts controlled by Walters’ relatives, or they were issued to deceased taxpayers and then redirected into accounts controlled by co-conspirators.⁶

Legitimate checks intended for a deceased person were returned to the government via the U.S. Postal Service, then altered and cashed. The Washington Post counted 92 distinct fictitious corporations that were set up to receive the fraudulent refunds including companies like “Bilkemor LLC.” While we do know that Walters used decedents’ SSNs for certain phases of her scheme, the extent of death fraud committed overall remains unknown.
  
To prevent this fraud, the District of Columbia Comptroller’s Office could have cross-referenced its tax records against the DMF. The office could have made further inquiries when companies or individuals had nonphysical addresses.

The Walters’ case is atypical. It’s more common to generate phony income tax refunds.

Tax Refund Fraud: Part II
Recent cases in California and New Jersey illustrate how easily decedent information can be used to generate inappropriate income tax refunds – absent some method of cross-reference with DMF or another similar database. In California, two men took advantage of this process gap and applied for $2 million in false tax refunds. In New Jersey, a woman submitted false tax returns on behalf of 28 deceased individuals, expecting a refund of $108,000.

You might ask: How did these perpetrators acquire the decedent SSNs? In California, the fraudsters obtained SSNs through a Certified Public Accountant and Internet research. Other, but by no means all-inclusive, ways to obtain SSNs of deceased persons include:
• “Dumpster diving” at a decedent’s residence after reading the victim’s obituary
• Access through friends and family
• Publicly available records on the Internet including:
  º http://govdeathrecords.com
  º www.ssdmf.com
  º www.rootsweb.com⁷
• Access to electronic information via computer hacking, spyware, and similar means

To help prevent tax refund frauds, we suggest that payor agencies cross-reference the payee name and SSN with the DMF and withhold payments intended for deceased persons until anomalies are fully resolved.

Accounting Fraud
Death fraud can occur many ways within an accounting department – most commonly via disbursement fraud. One strategy is to combine a decedent’s SSN with a new and fictitious vendor. Another disbursement method is to change the mailing address for a deceased employee or vendor to a post office box or mail drop that the fraudster controls.

A recent case of criminal tax fraud clearly demonstrates a real concern – creation of new businesses using a decedent’s identification information to conceal the entities’ ownership. Georgette Richie and her husband, Phillip Richie, created Webster General Inc. and Geo Tech Systems Inc., both of which did business with AMPORTS Inc.

Phillip, however, was also director of engineering at AMPORTS and responsible for awarding contracts to vendors and approving payment of their invoices. He circumvented this apparent conflict of interest by creating the two companies, which resulted in $12 million in contract payments to the companies from AMPORTS and in turn netted $4 million to the Richies. Georgette also used Internet banks to open accounts so the purported president of the companies wouldn’t have to appear in person.

This case amplifies the need to cross-reference vendor and employee data files against the DMF. Even with the tightest of internal controls, a rogue employee can create a fictitious employee or vendor using a decedent’s personal information to create, at a minimum, a bank account and a mailing address within the fraudster’s control. In this particular case, they also further concealed their intent by creating fictitious entities.⁸  

Health-care Fraud
Health-care fraud is a highly complex and specialized area of fraud examination because of the number of players and volume of transactions involved: physicians, hospitals, equipment suppliers and manufacturers, pharmacies, patients, medical-billing specialists, and third-party administrators. Each of the players have their specific transactions and potential to commit fraud against another segment of the health-care industry – a governmental agency that’s subsidizing the underlying care or the care recipient.

Health-care fraud is big business, as is fighting health-care fraud. The National Health Care Anti-Fraud Association recently estimated that approximately 3 percent of all U.S. health-care spending – or $68 billion annually – is lost to fraud.⁹

There are several ways to commit health-care fraud by using a decedent’s identifying information. Some of the more common include:
• Services purportedly rendered by a deceased provider and billed to an insurer
• Services purportedly rendered to a deceased patient and billed to an insurer
• Purchases of durable medical equipment purportedly made on behalf of a decedent (and billed by the physician using that person’s identifying information) 

Deceased Providers
Health insurers are becoming increasingly proactive in their fight against health-care fraud. Insurers and analysts run hundreds of algorithms to analyze huge volumes of data to identify possible health-care fraud, waste, and abuse.

One of insurers’ typical practices is to run an analysis to detect payments made for services rendered after the date of a physician’s death. This sort of scheme is generally undertaken by an insider – usually a practitioner in the same medical practice as the decedent or a third-party administrator who provides medical-billing services for that physician. In these cases, the fraudster – with access to the practitioner’s SSN and mailing information – is able to control both the reimbursement submission and the collection. Government and private industry analysts can cross-refer provider submissions against the DMF so they can identify these inappropriate payments and conduct recovery actions.

In July 2008, the U.S. Senate Permanent Subcommittee on Investigations held a hearing to examine claims made to Medicare for durable medical equipment that contained identification numbers of physicians who died at least one year prior to the alleged date of service.¹⁰ According to the subcommittee’s findings, Medicare overpaid an estimated $60 million to $92 million to these deceased doctors during the period of 2000 through 2007.

Had the study included the most recent 12 months following the physicians’ deaths, it’s estimated that the fraud loss would have increased to more than $100 million. This is a conservative estimate because the subcommittee’s analysis only included alleged dates of service more than one year after the physicians’ dates of death. In some cases, the doctors had been dead for more than 10 years. This further illustrates the need to analyze not only patient claim records but also physician files.

Preventing this type of fraud is straightforward, but not necessarily easy. The Centers for Medicare and Medicaid Services (CMS), for instance, has the inherent ability to retroactively (or proactively) cross-reference physician files with the DMF, discover payments made to deceased physicians, and attempt to recover associated payments. This is time consuming in either case, and it might complicate things to proactively withhold payment or deny a claim, but it would also slow the pace of the fraud loss.

CMS’ electronic Medicare Prospective Payment System already has electronic safeguards in place to either deny or approve a claim based on its characteristics. We don’t believe that adding an automated cross-reference to the DMF (a data set containing 84 million-plus records) is a practical solution to the health-care fraud loss dilemma; instead, we believe a data query this large might slow the claim approval process to a crawl.

A viable alternative might be adding a field/column titled “doctor date of death” to the CMS’ National Provider Identifier database and cross-referencing this data to the DMF periodically in an automated query that generates exceptions in a timely manner. This would enable CMS to validate claims against its National Provider file, which at 800,000 files, is substantially smaller than the DMF. Assuming the National Provider file contains current death information for each physician, this procedure would enable CMS to identify decedent physicians in a timely manner and deny claims associated with them. Insurers could use similar protocols.

Deceased Patients
Fraud schemes that involve submitting false claims to insurers for services allegedly rendered to deceased patients appear to be on the rise. As with all of the scams discussed in this article, fraud examiners must be cognizant of the logical possibility that an input error is behind the detected anomaly – possibly the purported service date, date of death, or even the DMF.

Typically, no proactive process is in place to detect submitted claims with a service date after the patient date of death. CMS and private insurers currently are able to retroactively identify payments made for services rendered after the patient date of death, typically using one of two methods: 1) compare the service date on the patient claim form to the patient’s death date, and flag the claim if the service date is after the date of death and 2) cross-reference the patient eligibility file (which contains the SSN) with the DMF to determine the accurate date of patient death, and then compare service date and death date.

This type of fraud has plagued state Medicaid agencies and CMS for years. The Health and Human Services Office of the Inspector General estimated in 2006 that $27.3 million was paid to providers on claims dated subsequent to the dates of patients’ deaths.11 That $27.3 million, based on eight out of the 10 audit states, was extrapolated. However, the enormity of the inspector general’s estimate strongly suggests that death fraud – specifically billing for services to deceased individuals – needs to be on the
radar.

Although the concept is simple, getting the DMF death dates to line up exactly with other sources of death dates, such as state eligibility files and Bureau of Vital Statistics files, continues to present a challenge.

Stark Law Violations
The Stark Law (42 U.S.C. 1395), named after Rep. Fortney “Pete” Stark (D-CA), prohibits a physician from referring patients to a practice in which the provider has a financial interest. Individual Stark Law violations (i.e., each claim or referral) are subject to financial penalties, which are significantly increased if it’s determined that the physician engaged in conduct to conceal the relationship. With this perspective, consider the increased risk of using a decedent’s personal information to obfuscate the true ownership of a practice and the Stark noncompliance. Consider the consequences if a physician or physician’s practice created a referral practice using a decedent’s SSN to mask ownership interest in that referral entity. 

TOOLS TO PREVENT DEATH FRAUD 

The principal tool to reduce or eliminate instances of death fraud risk is the DMF. Cross-walking financial databases within an organization – tax refund files, health-care claims files, vendor or contract files, and accounting records – against the DMF will identify payments intended for or attributed to deceased individuals. These payments might be mistakes, possibly attributed to sloppy data management. They might be legitimate. Or they might indicate fraud. In every case, however, exceptions should be flagged and potentially inappropriate payments investigated.

The second tool in your toolbox should be data-mining capability. If you don’t have SSNs in your database, programmers should be able to use other data fields common to both database sets to identify suspect payments. In addition, the data miner can look for changes in bank account routing information, payee addresses, and other information on a broad scale. In the opening example, if Grandma’s Social Security check was suddenly routed to a new or different bank account, this information would stand out and alternative explanations would have been explored.

The third tool in your toolbox is a qualified and competent financial investigator or field auditor. No matter the industry, potentially fraudulent overpayments must be investigated beyond a data report if recovery of these amounts is an objective of the analysis. The information provided by the data miner by itself might provide the predication required to instigate a fraud examination and spring-board the investigation. This same information will provide the basis for leads in the investigation as well.

Identity theft, as it relates to death fraud, is big business for fraudsters and the plethora of personal-identifying information available on the Internet makes identity theft easier to commit. While it can’t be totally prevented and not all cases can be detected, leveraging the DMF as a resource will certainly enable organizations to minimize their risk of falling prey to an orchestrated death-fraud scheme.

Cheryl B. Hyder, CFE, MT, CPA, CVA, CFF, is the principal at Hyder Consulting Group, a litigation consulting firm based in Alexandria, Va. She’s the president of the ACFE’s Metropolitan-DC Chapter and holds leadership positions in other professional organizations. Hyder has been designated as an expert witness in matters involving forensic accounting, financial fraud investigations, accounting malpractice and standard of care, commercial damages, and business valuation. 

Christine Warner is a director of quality assurance for Thomson Reuters, at which she conducts Medicaid fraud detection analyses using SAS software.

[Some of the following source links are no longer available. —Ed.]

¹ Millman, Jennifer. “Man Poses as Dead Mom To Collect Benefits.” NBCNewYork.com. June 17, 2009. www.nbcnewyork.com/news/local/Man-Poses-as-Dead-Mom-to-Collect-Benefits.html.
² Federal Register. Vol. 72, No. 217. Friday, Nov. 9, 2007. Rules and regulations available online at: www.ftc.gov/os/fedreg/2007/november/
071109redflags.pdf. The rules implementing section 114 of the Fair and Accurate Credit Transactions Act (FACT Act) require each financial institution or creditor to develop and implement a written identity theft prevention program to detect, prevent, and mitigate identity theft in connection with certain new or existing accounts.
³ 18 U.S.C. § 1028, Ch. 47: Fraud and related activity in connection with identification documents, authentication features, and information. Eight activities identified in the statute; we listed the most relevant here.
⁴ “The Gramm-Leach Bliley Act.” www.ftc.gov/privacy/privacyinitiatives/glbact.html.
⁵ Ways and Means Social Security Subcommittee. Committee on Financial Services Subcommittee on Oversight and Investigations. Nov. 8, 2001. www.ssa.gov/legislation/testimony_110801.html.
⁶ www.dcwatch.com/govern/cfo071107b.htm and Harry Jaffe, “Godfather of DC Tax Scam Still At Large.” The Examiner. Sept. 19, 2008.
⁷ A search on this website for “Jane Smith” revealed more than 1,000 hits from the Social Security Death Index (not to be confused with the Death Master File), each of which provides a Social Security number in addition to other personal identifying elements.
⁸ www.irs.gov/compliance/enforcement/article/0,,id=187277,00.html.
⁹ www.nhcaa.org/eweb/DynamicPage.aspx?webcode=anti_fraud_resource_centr&wpscode=TheProblemOfHCFraud
¹⁰ http://hsgac.senate.gov/public.
¹¹ “Audit of Selected States’ Medicaid Payments for Services Claimed to Have Been Provided to Deceased Beneficiaries.” http://oig.hhs.gov/oas/reports/region5/50505530.pdf. Sept. 26, 2006.

Preventing and Detecting Death Fraud 

The Death Master File (DMF), used in combination with traditional accounts payable tools to prevent and detect fraud, provides another tool for the anti-fraud tool belt. We suggest that an accounts payable or procurement department enhance its fraud mitigation efforts at various points of the payment cycle by:

1. Prior to engaging the vendor or prior to issuing payment:
• Validate vendors before doing business with them; consider comparing the taxpayer identification numbers on the W-9s against the DMF.
• Cross-reference personal identifiers contained in document submissions against the DMF. If these identifiers aren’t in the DMF, the inference is that the person in the documents is living and breathing. Of course, this presupposes that the DMF is current and accurate. Anomalies discovered at this stage are capable of being resolved before payments are issued. State jurisdictions are beginning to embrace this strategy to reduce their risk of becoming a victim of death fraud.¹  

2. As part of claim submission process (before payment is issued):
Compare information contained in submitted applications for payment (i.e., life insurance, tax refunds, etc.) against the DMF. Corporations and government entities might uncover a fraudulent submission rooted in use of a decedent’s SSN.

3. Periodically and at routine intervals, “scrub” data in payment files:
• Search for duplicate SSNs or current payee SSNs appearing in the DMF.
• Cross-reference vendor and employee files against the DMF and identify suspect transactions that might include payments to deceased individuals.
• Identify vendors and employees sharing SSNs, addresses, bank accounts, or telephone numbers, and employees who aren’t using their annual vacation or sick leaves.

4. Health-care providers, insurers, and government agencies should also cross-reference provider payees against the DMF to identify services provided or payments issued in which the relevant date is after the individual’s date of death. In health-care matters, determine if patients were alive at the stated time of service and confirm that the physician was also alive at the time.

¹ “Audit of Selected States’ Medicaid Payments for Services Claimed to Have Been Provided to Deceased Beneficiaries.” Sept. 26, 2006.  

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.