What are the key areas of fraud risk in private healthcare?

18 July 2023

Our Fraud Risk Services team consider the key areas of fraud risk within the private healthcare sector and the anti-fraud procedures organisations can develop to reduce those risks. 

The increasing use of private healthcare by both the public and the NHS provides an increasingly attractive target for fraudsters, from both outside and inside organisations. This, along with the introduction of the new corporate criminal offence of ‘failure to prevent fraud’, means that the private healthcare providers need to prepare for when, not if, fraud takes place on their doorstep.

Increase in employee fraud

Figures obtained by RSM UK under a freedom of information (FOI) request show a 10% rise in reported fraud cases committed by employees against their employers. The data obtained from City of London Police also shows that there was a fivefold increase in total losses stolen through employee fraud, with an average loss of £256,668 per incident. The increase in both the volume and value of funds stolen by employees highlights that robust measures are essential to protect against fraud. These types of crimes are particularly damaging to private healthcare providers, as they can cause widespread reputational damage and loss of patient and employee trust, in addition to financial loss. 

Demonstrating the government’s commitment to tackling fraud, later this year, the Economic Crime and Corporate Transparency Bill is set to become UK law. This will bring into law a new corporate criminal offence of ‘failure to prevent fraud’  and see organisations being held to account if they profit from the fraudulent actions of their employees. It’s proposed that this offence will apply to large organisations (more than 250 employees, £36m turnover and £18m in total assets) and they can avoid prosecution if they are able to demonstrate that there are reasonable procedures in place to prevent fraud.

The healthcare sector is no stranger to fraud, with the NHS losing on average £1.198 billion every year. However, private healthcare providers are subject to additional fraud risk due to the financial incentives, targets and opportunities to manipulate data/records for organisational or personal gain. With a growing number of patients turning to private healthcare due to growing NHS wait times and preferential services, plus the NHS turning to private healthcare providers to deliver key NHS services, the opportunity for fraud within the private healthcare sector is mounting. 

Types of private healthcare fraud

Whilst the private healthcare can be a target for fraudsters, there are several types of internal private healthcare fraud, which may be unique to each organisation. Some examples are below with accompanying suggestions to mitigate each of the fraud risks.

  Types of fraud   Anti-fraud procedures
Upcoding Where private healthcare providers bill private insurers for medical services that were more complex or serious (and more expensive) than those diagnosed or provided to the patient. Having clear policies and procedures in healthcare coding and ensuring that both pre-payment assessments (such as dual authorisation and flagging of anomalies) and post payment-assessments (including exception reporting and monitoring of department/consultant coding trends) using data analytics, take place.
Unbundling Similar to upcoding, in that this involves improper coding. This is when a private healthcare provider fragments billing codes illegally, with the aim of increasing the provider’s profits.
Similar to above, ensuring clear policies and procedures are in place for healthcare coding and that both pre- and post-payment checks are carried out on a regular basis to identify anomalies. 
Unnecessary medical interventions/tests When diagnostic tests, x-rays etc, are conducted when not required and with the aim of generating insurance payments. 
Implementing controls, such as regular review of medical tests and interventions using data analytics to highlight whether there are unusual patterns or anomalies between departments/consultants and whether the tests were justified.
Misrepresenting treatment
This can include when cosmetic work is carried out on a patient, but claimed as a medical treatment.
Clear policies should be in place regarding the use of treatment on patients,  in particular the difference between medical and non-medical treatment. Regular review of high-risk treatments, such as cosmetic work, should also take place to ensure proper representation and payment.
Pharmaceutical fraud
Pharmacists may prescribe a generic non-branded drug to a patient, but record the prescription as a branded, higher value drug, to receive higher reimbursement and keep the difference.
Regular pharmacy stock taking is paramount to prevent fraud, misappropriation and error; this, alongside clear policies, procedures and training will contribute to a strong anti-fraud culture.
Misappropriation of funds
The misappropriation of funds by an employee for their own use. This can involve stealing cash, diverting funds, amending invoice details or misusing company credit cards.
Organisations should have tight internal controls, such as segregation of duties, regularly reviewing financial records using data analytics, and limiting access to financial information and resources to authorised personnel.
False expense claims
Employees may submit false claims for expenses never incurred or overstate the amount spent to obtain reimbursement.
Having a clear expense policy, requiring receipts for all expenses, using expense management software to track expenses and identify anomalies, conducting regular reviews of expense claims and applying data analytics.
Payroll fraud
This can include altering time records, claiming overtime hours not worked or creating fictitious employees.
Implementing controls, such as background checks for new employees, permanent or temporary, reviewing payroll records regularly, using biometric or time and attendance systems to track employee hours and conducting regular audits of payroll records. 
Asset misappropriation 
This can involve stealing supplies, equipment or other company assets for personal use or resale.
Implementing security measures, such as surveillance cameras, asset tracking, transparent disposals processes and employee training on the importance of safeguarding company assets.
Data theft
This can include stealing or copying sensitive company information, such as customer lists or intellectual property, for personal gain or to sell to competitors.
Implementing strict access controls for sensitive information, regularly reviewing and monitoring data access logs and implementing security measures such as encryption, firewalls and intrusion detection systems.
Secondary work 
With the rise of agile working and many medical professionals working in both the private and public sectors, there is an increased risk of employees working more than one job, to the detriment or conflict of another. This risk is heightened with the boom of generative AI allowing employees to be more productive in certain roles.
Clear policies and guidelines for secondary employment and declarations of interest, flexible working policies, monitoring employee activity by managerial oversight and conducting reviews of employee productivity and timekeeping records.
Patient referrals
Many healthcare clinicians nowadays work across both public and private sectors, which can provide the opportunity for NHS patients to be referred to private practices, where there isn’t a medical requirement to do so. However the clinician is then able to claim reimbursement for the private patient care. Additionally, ‘referral rings’ can occur where clinicians refer patients to each other, with kickbacks being received in return. 
While encouraging transparency with regards to private work, good practice is to also monitor the number of referrals received both from the public and private healthcare sectors, via data analytics, to highlight any trends, patterns or anomalies. Additionally, clear policies and guidelines should be in pl ace to ensure staff are aware of the correct procedures. 

Although not strictly fraud, employees accepting payments or gifts in exchange for preferential treatment or for awarding contracts or business to specific vendors is covered by the Bribery Act 2010. This can be mitigated by implementing a clear policy and code of ethics covering declarations of interests, conducting regular training on anti-bribery and regularly reviewing contracts and  transactions with vendors for any signs of impropriety.

Create an anti-fraud culture

According to a report from the Association of Certified Fraud Examiners (ACFE), 29% of fraud is due to a lack of internal fraud prevention controls, with 20% overriding existing controls and 16% due to a lack of management review. To minimise fraud risk and improve fraud detection, organisations should have the following in place:

  • ensure that there are confidential and clearly defined reporting routes, supported by a sound whistleblowing policy and process, with a feedback mechanism where appropriate. Respond quickly to suspected fraud by initiating an investigation, documenting evidence and involving a counter-fraud specialist or the police. Prompt action can prevent further losses and minimise fraud impact;
  • provide periodic anti-fraud training for all employees as well as bespoke training for key risk areas such as finance, procurement and HR/recruitment. Training should incorporate the publication of successful sanctions where appropriate to demonstrate the organisation’s approach;
  • have in place a regularly reviewed anti-fraud policy that outlines the organisation’s approach to fraud, responsibilities, and tone from the top. The policy should be widely publicised, internally and externally, and supported by a response plan for when incidents occur. In addition, it should have an annual strategy for combating fraud; and
  • formal fraud risk assessments should be conducted periodically to identify and measure areas within the organisation susceptible to fraud. These areas may require further proactive testing, training and increased controls. The fraud risk assessment should feed into the annual fraud strategy, which defines the areas of focus for that year.


The combination of an economic crisis, cost-of-living challenges, geopolitical uncertainties and the rise of agile working has significantly increased the risk of employee fraud within private healthcare providers. Recent legislation will soon require some of these providers to establish procedures to prevent fraud. It is crucial for organisations to act proactively by implementing robust fraud prevention measures, adapting to the changing dynamics of the workplace, and investing in advanced technologies. By doing so, they can mitigate the financial and reputational damage caused fraud, as well as prevent the risk of finding themselves liable under the proposed new corporate offence. 

If you would like to discuss how to mitigate fraud within your healthcare setting, please contact Erin Sims or Emily Wood.

Emily Wood
Emily Wood
Senior Consultant
Emily Wood
Emily Wood
Senior Consultant