Susceptibility to Accounting Fraud for Medical Businesses

Source: Belinda Kitos, CFE (Certified Fraud Examiner)

Medical businesses’ unique conditions double the vulnerability to accounting fraud.

A typical medical practice operates with controlled chaos, generous trust of staff and two separate financial accounting software programs — all breeding circumstances for fraud. Here’s how to identify internal fraudsters’ schemes and apply remedies (even if you don’t work at a medical practice).

Mary was an excellent office manager for medical practices except she had a secret — she was a serial embezzler. Early in her career, she’d learned how to improperly remove funds from medical practice billing programs through various techniques. She’d ripped off three other practices before she began to work at yet another because she’d gotten so good at fooling doctors. And now she was doing it again. But she wasn’t too worried. She’d already learned with the previous practices that if the physicians caught her, they’d just fire her to save face, and then she’d move on to her next victim.

For several reasons, medical office practices are sitting ducks for employee embezzlement, and most practice owners don’t realize it.

Chaos Can Reign

As you wait for your appointment, you’ve seen how busy your doctor’s office can be, especially when an emergency patient arrives. Physicians notoriously overbook their schedules because of numerous no-shows, so when everyone does make it in, staff and physicians can be overwhelmed. Fraud loves to breed in exhausting pandemonium.

Trusting Work Culture

Physicians instinctively believe their patients are telling the truth about their symptoms so they can apply the proper treatments. They also trust staff members, who tend to stay with practices for many years and become physicians’ second families. However, trusting medical cultures often are ripe for exploitation. Tired physicians and administrators at the end of chaotic days trust that their staff appropriately fulfilled their responsibilities, so they often skip checking the daily financial internal controls.

Two Financial Accounting Programs

As CFEs, no matter what type of organization we’re called upon to examine, we automatically expect to evaluate the financial operating account. Most small businesses maintain an operating account computer program, such as QuickBooks, and all the accounting information for the business is located within that account. To complete a thorough examination, we need to review that account, which contains expenses, accounts payable, monthly statements, billing and invoices, credit card expenses, merchant account statements, inventory, payment income and corresponding deposits.

However, walk into any medical office (including dental and veterinary) and everything is different. Medical businesses maintain two financial accounting software programs: one for patient billing and another for business operations. Fraudsters can target both of these accounts, which can leave a medical office more vulnerable than the average business with one financial account. Several employees can normally access both accounting programs. Usually only one employee is accessing the operating account — the practice office manager — but the billing account routinely has several employees with account access.

The practice or office manager handles the operating account, which maintains office overhead expenses such as utilities, supplies, payroll, repairs, etc. while several staff members handle the practice’s billing account, which maintains patients’ dates of service, charges, insurance information, insurance billing, and patient and insurance payment records to adjudicate patient accounts. Doctors have spent endless hours of training to learn how to care for patients, but they might have taken only one course on managing a medical practice’s business side. Most of them totally rely on their staff to run their patient billing and office operating accounts and only use CPAs to review financial quarterly or yearly account reporting information. This is a perfect breeding pool for fraud.

CFEs Need to Understand the EOB

A crooked medical billing account staff member who defrauds a practice must keep patients happy and quickly adjudicate their accounts so they don’t receive bills for services they don’t expect. One call from an irate patient about a false billing amount could expose fraudulent activity.

A CFE who’s evaluating a medical practice billing account needs to understand the explanation of benefits (EOB) from the insurance companies and how to post payments received from those companies based on the EOBs that accompany each insurance payment. It’s critical that medical practices post or enter payments on the dates they receive them and not on the dates of service. The date received is considered the day that the staff is actually posting to the billing account — not the date the payment arrived in the mail.

Fraudsters’ Methods at Medical Practices and Remedies

Fraudsters have several ways to improperly remove funds from medical practice billing programs. For example, in an incorrect payment posting, let’s say the practice provided a service on the first of the month, and it received a payment for that service the following month. The monthly financial data intake for the previous month is calculated in the end-of-month reports that are generated for the practice. If an unscrupulous staff member back-posts a payment to the previous month — or any prior date — that has already reported the monthly income, the month-end report will change and show more income when the report is regenerated. This type of posting can adjudicate the patient account and allows the staff member to remove the payment. Medical practices don’t normally go back and actually regenerate the previous month-end reports. Banking today allows deposits by smartphone or ATM. This allows fraudsters to easily divert and deposit checks made out to the practice into their private accounts or into a newly created shell-company account.

Cash is king in any business, and it’s usually readily targeted when available. Cash is routinely collected in a medical practice for co-pays, deductibles and the daily charges. A crafty staff member can adjudicate the patient account by posting a cash payment as a credit card payment and remove the cash. This method also creates false billing financial reports that are inflated because of the lack of an actual credit card payment. The billing account financial reports will show more income than the practice bank statements.

To avoid this kind of fraud, multiple safe-guards are important. Medical practices should maintain all daily payment receipts in a day file as a check and balance for the end of the day. A daily-close printout from the billing account tallies up all the credit card receipts, cash and checks collected and posted for the day by each staff member. These amounts should match all the physical receipts maintained by the practice. The daily-close report should match the daily deposit slip that the staff will create. Make sure all deposit carbon slips are accompanied by the bank deposit receipt to verify the amount was deposited. Maintain a three-part carbon, cash-receipt book to track all cash. Copy all daily credit card receipts, maintain all cash receipts and copy patient and insurance checks as proof of payment. Retain all this financial documentation in the day file along with all EOBs posted for the day to verify the daily practice intake.

Medical practices routinely take credit cards via reader machines on their counters, process payments and maintain receipts for the day. However, practices rarely refund by credit card. So, be sure to review for any credit card refunds in the account statements. A crafty staff member could easily send a refund to their credit card account by swiping their personal card on a reader machine. Practices can prevent this theft with a policy that all refunds must be approved by a supervisor. We can find most of the typical operating account embezzlement schemes, such as payroll padding and accounts payable frauds in medical practice operating accounts. A crafty office manager can combine their personal bills with vendor bills, which, of course, increases a practice’s overhead expenses. A physician or CPA reviewing the practice financial reports would only notice that overhead expenses have increased without any vendor changes. The fraudster would slowly add personal bills so they wouldn’t draw attention.

For example, an office manager includes their personal Verizon phone bill with the practice’s Verizon bill. The practice writes a check for the combined amounts and includes both billing stubs in the envelope. The only way to discover this type of fraud is to compare all invoices and statements to the payments. Some doctors in a practice become so trusting of their staff “family” they never even look at invoices and bank statements. They allow staff to reconcile bank statements to the operating account and the office manager to sign all business checks.

For several reasons, medical office practices are sitting ducks for employee embezzlement, and most practice owners don’t realize it.

Doctors often can’t afford to have enough staff to segregate duties, so a single employee might control the revenue stream in small practices. The medical practice must have a system in place to verify that trust. Staff members who know that someone is overseeing their work or will randomly check it are more likely not to commit fraud.

Doctors should tell the practice’s bank to send statements to their homes. They should review them first before giving them to the office manager to reconcile. Ensure that the practice’s check copies are on the monthly bank statements and review the monthly practice vendor names and the check signatures. Question any vendor names you don’t recognize. Sign your own checks. Ensure that the invoices are with each check for you to review if needed. Don’t use signature stamps in your practice for checks, and don’t allow staff to sign your checks.

Payments via wire and mobile transfers might not be for the practice but transfers of funds from the practice account to a staff member’s personal account or shell-company. I repeat, blind trust with no checks and balances creates the perfect opportunity for fraudulent activity.

As always, tone at the top is important. If the staff sees doctors cheating their partners or doing things inappropriately, then the staff will be more likely to also cheat. If staff members are caught, they can rat out the offending partner to avoid prosecution with dismissal — their worst-case scenario.

What to Look for and Do

As in any organization, watch for employees who:

  • Become secretive about their work or workspaces.
  • Display new wealth such as expensive cars or clothes.
  • Are that “indispensable” or “loyal” employee — often working late and on weekends un-supervised.
  • Don’t want to share tasks.
  • Refuse to take vacations.
  • Bully office managers.


Be wary of the office manager who asks a doctor to sign a stack of checks at a busy time of day. The manager often knows the doctor won’t look at the accompanying invoices/statements because of waiting patients. Call and ask for references for new hires. Conduct background checks on them. Segregation of duties is always an issue in smaller practices. Practices, or any business for that matter, where just one person handles all financial matters are always extremely vulnerable to fraud. Provide adequate guidelines in your employee manual for those who handle financial matters and enforce existing policies. Bond with those who handle funds. Maintain employee dishonesty insurance.

Pay your employees well but pay attention to those with disgruntled attitudes. Employees who constantly complain about their pay could feel justified in stealing. Most medical practices don’t consider conducting an evaluation or audit as a preventive measure until they discover embezzlements. A typical case can cost a practice tens of thousands of dollars on top of the cost of the fraud. If the embezzler has been arrested, the CFE can put together the case. Most billing and operating account software applications have audit trails that can help to pinpoint account manipulations by individual staff members if they have unique log-ins.

In my experience with medical office embezzlement, I find that after a medical practice has discovered fraud, doctors see clearly where and how it happened. They severely blame themselves for being so foolish to trust, and they suffer from a profound sense of betrayal. Many are too embarrassed to prosecute because they think their patients will view them as imbeciles. Medical practice embezzlers know that, and so they take the shot. Fraudsters know there’s a better chance of just getting fired than going to jail, and the risk to them is well worth the reward. They just take the money and move on to the next practice. Physicians that have been defrauded need to report these fraudsters to prevent them from repeating.

Belliinda Kiittoss,, CFE,, CIICA,, MT((ASCP))–RET, is president of SCF

About Scale Finance

Scale Finance LLC ( provides contract CFO services, Controller solutions, and support in raising capital, or executing M&A transactions, to entrepreneurial companies. The firm specializes in cost-effective financial reporting, budgeting & forecasting, implementing controls, complex modeling, business valuations, and other financial management, and provides strategic help for companies raising growth capital or considering M&A/recapitalization opportunities. Most of the firm’s clients are growing technology, healthcare, business services, consumer, and industrial companies at various stages of development from start-up to tens of millions in annual revenue. Scale Finance has multiple offices in the Carolinas including Charlotte, Raleigh/Durham, Greensboro, and Wilmington with a team of more than 45 professionals serving more than 130 companies throughout the region.