Healthcare fraud
How to mitigate against key areas of fraud within the NHS and wider healthcare system.
Fraud within the NHS and wider healthcare system
Fraud is an increasingly critical issue within the NHS and wider healthcare system across the UK.
In 2023/24 alone, there were over 2,500 cases of fraud reported within the NHS, with an estimated vulnerability of £1.3bn.
Understanding where and how fraud occurs is critical to safeguarding your organisation. Below, we explore the key areas of fraud within healthcare settings, highlighting real-world cases that illustrate the impact of fraudulent activities and the steps organisations can take to reduce these risks.
- Working elsewhere whilst sick
- Timesheet fraud
- Recruitment fraud
- Misuse of resources
- Failure to work contract hours
Working elsewhere whilst sick
Concerns about staff working elsewhere whilst sick continues to be the most common referral type across RSM’s healthcare client base. From 2022/23 to 2023/24, there was a 33% increase in the number of referrals received regarding individuals working elsewhere whilst sick.
Due to the ever-increasing demand for healthcare staff, the opportunity for individuals to find alternative and/or additional employment is high. This, accompanied by a more generous level of sickness pay than the private sector, results in an ideal opportunity for exploitation.
Mitigating the risks
To mitigate the risk of staff working whilst sick, organisations should ensure they have robust secondary working policies in place that clearly define and communicate to all staff their responsibilities for declaring potential conflicts of interest. This includes declaring secondary employment or outside business interests. It is imperative that these requirements are communicated to all staff, and that swift and appropriate disciplinary action is taken where applicable.
Furthermore, all NHS bodies are required to participate in the National Fraud Initiative (NFI), a biennial data matching exercise undertaken by the Cabinet Office. This intelligence, specifically regarding staff members’ employment with other NHS or local authority organisations and company directorships, can be compared to sickness absence data to identify potential cases of working elsewhere whilst sick.
Case study: Healthcare assistant jailed for fraudulent sick leave claims
A Band 3 Healthcare Assistant was sentenced after admitting to Fraud by False Representation for falsely claiming sick leave while working a second job. The individual, who had been on sick leave from the Trust for a year, took up employment at a second organisation and also worked additional shifts as a bank worker. The individual failed to disclose the second job to their GP and therefore continued to receive sick leave certification.
Following a detailed investigation by our Local Counter Fraud Specialist (LCFS), the individual was sentenced to 15 months in prison and suspended for two years. They were also ordered to complete 100 hours of unpaid work, 15 days of rehabilitation activity, and pay £1,000 in compensation to the Trust within six months.
The case was publicised within the Trust and across other NHS organisations to serve as a deterrent to others.
Timesheet fraud
Staff costs represent the largest single expenditure for the NHS. While it is essential that staff are paid for the hours they work, some may seek to exploit weak or absent controls to fraudulently claim more money than they are entitled to.
Timesheet fraud occurs when the record of hours worked by a staff member are falsified. If undetected, this results in the worker being paid more than they should be, causing a financial loss for the organisation.
Identifying the risks
Timesheet fraud can take several forms, including:
- Claiming for more hours than have been worked
- Failing to deduct breaks
- Claiming for shifts or sessions not worked
- Starting late or leaving early, often to meet another paid commitment
- Claiming for work at a higher band
- Claiming overtime or bank hours when working a substantive shift or professional activity (PA)/supporting professional activity (SPA).
Mitigating the risks
To mitigate the risk of fraudulent timesheet claims, your organisation should implement clear guidance and relevant policies for the completion, submission, and authorisation of timesheets.
Managers should ensure that the hours worked and claimed are accurate before authorising shifts.
Electronic time recording systems should include built-in controls to prevent duplicate/overlapping shifts, ensure minimum breaks between shifts, and prevent claims being made at a higher band.
Case study: Former bank worker caught claiming £4,323 after leaving role
A former Band 2 Administrative Bank worker was caught fraudulently claiming £4,323 for 57 shifts they had not worked between December 2022 and March 2023. The individual, who had been employed in the Band 2 bank role until March 2023, forged manager signatures to submit false timesheets, some of which were for days when the department was closed, while others were for shifts they had not attended.
The fraud was uncovered when a missing signature on a timesheet triggered further investigation, revealing the deception. A review of the timesheet also highlighted that one of the signatures had been forged.
After resigning from their substantive Band 3 position at the Trust in May 2023, the individual was removed from the staff bank, preventing any future employment with the Trust. They received a conditional caution from the police, which will remain on their record for six years and is disclosable. As part of the caution, they must attend a fraud diversion course at their own expense. Despite efforts to recover the money, the individual did not have sufficient funds to repay the amount.
Recruitment fraud
An organisation’s greatest asset is its staff. In the NHS, this is even more profound, as your staff are saving lives on a daily basis. It is vital that the staff you recruit are of a high calibre and can fulfil the job specifications you set. Clinical candidates who do not possess the essential requirements or exaggerate their previous experience can compromise patient safety. In non-clinical areas, staff who lack the required skills and/or experience can have a demonstrable negative effect on your teams and will abstract a significant amount of management time to supervise or rectify their work.
Between 2022/23 to 2023/24, there was an increase of 62.5% in the number of referrals received relating to recruitment fraud within our client base.
Mitigating the risks
It is essential that your recruitment teams follow the NHS Employment Check Standards to review each candidate's background, and that your staff are trained to recognise forged or counterfeit documents. It is much easier to identify a rogue applicant and prevent them from joining than to manage the disruption they may cause and subsequently work to remove them from your organisation.
At RSM, we offer quarterly online training sessions to recruitment teams covering key recruitment fraud risks and forged and counterfeit documents. We will be happy to review any suspicious applications or documents.
Case study: 12-month custodial sentence for fraudulent job application
A Band 8A Commissioning Programme Lead for Urgent Care was discovered to have falsified their qualifications, work experience, and multiple references to secure a position for which they were not qualified. After their appointment, concerns were raised regarding their ability to perform the role. Our investigation identified that the qualifications were fraudulent, and that they had set up their own email addresses to respond to reference requests. They had also purported to be a solicitor to attempt to shut down the investigation.
The individual was sentenced to 12 months’ imprisonment after being found guilty of Fraud by False Representation. At sentencing, the judge noted that the individual showed no remorse and took no responsibility for their actions, taking every opportunity to delay and obstruct the investigation.
We have worked with the organisation to implement more stringent testing on qualifications and references, and now also provide quarterly identity verification training sessions to our clients’ staff.
Misuse of resources
All staff members have a responsibility to protect their organisation’s assets—including buildings, equipment, and funds—from fraud, theft, or bribery. Between 2022/23 and 2023/24, we have seen an increase in referrals related to the misuse of resources across our client base.
The continued rising cost of living has placed additional financial pressures on staff, with salaries needing to stretch further to meet household needs. This can lead some staff members to supplement their income by fraudulently misusing their organisations’ resources for personal use or to intentionally sell them for financial gain.
Identifying the risks
From 2022/23 to 2023/24, there was a 115% increase in the number of referrals received relating to the misuse of resources.
Common forms of resource misuse include:
- Personal use of vehicles (including for hire/reward)
- Misuse of mobile phones (including data)
- False ordering of goods for theft and resale
- Theft and onward sale of resources (such as IT assets and uniforms)
- Theft of medication by staff.
Mitigating the risks
To minimise the associated risks with the misuse of resources, your organisation should have clear guidance and relevant policies in place for the appropriate use of assets.
Asset registers are essential for logging and tracking expensive items. Assets, particularly IT equipment, should be logged as soon as possible and clearly marked as organisational property. Extra care should be taken with items awaiting asset tagging, as stolen items without proper identification are harder to trace.
Regular audits and monitoring of the resources are crucial to identify any irregularities. Any items found not to be in regular use should be reclaimed and redistributed.
Case study: theft of medical equipment and subsequent recovery
A referral was received reporting that a medical device, a Continuous Positive Airway Pressure (CPAP) machine, was found for sale in a second-hand store. These items are issued by the NHS to patients with sleep apnoea and remain the property of the issuing Trust.
We immediately recovered the item and identified the patient it had been issued to. No criminal investigation was required.
We also worked with the Trust to review the issuing and management of CPAP devices to understand the extent of the potential risk. Following our review, the Trust has implemented several improvements to its controls:
- A full register of currently issued devices.
- All patients were transferred to newer devices that automatically upload updates of clinical data back to the Trust, enabling better management of clinical issues and identification of non-usage.
- Devices not in regular use were identified and recovered for destruction/reallocation.
- The ongoing fraud risk was assessed as low.
Failure to work contract hours
From 2022/23 to 2023/24, there was a 250% increase in the number of referrals received regarding the failure to work contracted hours across our client base.
This has become a key risk area for fraud, with a significant rise in the number of referrals in 2023/24. Historically, NHS and healthcare roles have followed an in-person, onsite working model. However, technological advances and the pandemic have led to a revolution in remote working. Full remote working is becoming more popular, offering benefits such as improved work-life balance, more efficient use of time, greater control over work hours and work location, burnout mitigation, and higher productivity.
Identifying the risks
Remote working can make it harder for managers to maintain oversight of an employee's progress and performance. In the past, it may have been more difficult for employees to leave early to go to another paid commitment or complete self-employed work during their contracted hours, but the rise of remote working has increased opportunities for such activities. With less collaboration and supervision, these issues can go unnoticed.
Managers should be alert to the following potential red flags:
- Not being able to contact employees during expected working hours.
- Delays in responses to emails and communications.
- Missing scheduled meetings and appointments.
- A drop in the quality and consistency of work.
- Work outputs not meeting expectations compared to peers in the same role.
Mitigating the risks
Organisations should take the following steps to mitigate these risks:
- Clearly define staff obligations in contracts, specifying the number of hours to be worked and during which hours.
- Ensure policies are robust and highlighted to new starters as part of their induction.
- Managers should ensure staff have sufficient work to complete and that productivity is regularly monitored.
- Staff should be aware that once their assigned tasks are complete, they must request further work.
- Managers should clearly communicate their expectations of employees, particularly around expected hours of work, work to be completed, work location, and actions to take once they have completed their assignments.
- Timesheets, especially for temporary or agency staff, should detail the specific hours worked and must only be approved by managers who can confirm that the hours were worked.
- Any issues, such as lack of productivity or contract violations, should be promptly escalated and challenged.
Case study: dual working uncovered
Following an NHS Counter Fraud Authority Intelligence Report, an investigation was launched into an agency worker who had been employed by the Trust as a full-time Projects Manager for 19 months, from July 2020 to February 2022. The investigation revealed that the individual had also been working a full-time role at another Trust through a sister agency for a two-month period.
Due to the remote nature of both roles, the dual employment was not immediately detected. However, thanks to the LCFS’s swift investigation, the Trust was able to refuse payment for the dates where dual working was detected, preventing any financial loss to the Trust. As a result of the quick action taken, the individual was removed from both roles, ensuring no further financial loss was incurred by either Trust.
We worked with both Trusts to implement more stringent controls on agency workers, including:
- Recording hours worked on timesheets.
- Requiring agency staff to submit Declarations of Interest to disclose any secondary employment.
- Implementing increased KPIs, particularly for remote workers.
- Providing guidance to managers on the risks of dual employment and how to deal with contract-related issues.
How we can help
It is crucial for organisations to take a proactive approach by implementing robust fraud prevention measures, adapting to the evolving dynamics of the workplace, and investing in advanced technologies. By doing so, they can mitigate the financial and reputational damage caused by fraud.
Our dedicated fraud risk services team brings years of experience in providing specialist guidance to healthcare organisations on effective fraud prevention.
If you would like to discuss how to mitigate fraud within your healthcare setting, please contact Andrea Deegan or Matt Wilson.
