Overview
A federal jury in the Eastern District of Michigan convicted Ruby Scott, 55, of Farmington Hills, on charges tied to a $1.6 million scheme to defraud Medicare. Scott owned and operated Delta Home Health Care LLC and used stolen patient records as the foundation for fraudulent Medicare billing over a three-year period spanning 2018 through 2021.
Court documents show that the scheme relied on patient records Scott had no legitimate authorization to access or exploit for billing purposes. The fraudulent claims were submitted to Medicare on behalf of patients who either did not receive the billed services or whose information was used without their knowledge.
The conviction follows a federal investigation and prosecution in the Eastern District of Michigan. Sentencing has not yet been scheduled as of the date of this report.
Key developments
Stolen patient records as the instrument of fraud. The scheme depended directly on unauthorized access to and use of protected health information. Patient records were not incidentally exposed — they were the mechanism by which fraudulent Medicare claims were constructed and submitted.
Insider threat from a licensed clinical professional. Scott held nursing credentials and operated a regulated home health agency, illustrating that access privileges granted to clinical staff on the basis of professional licensure can be misused for financial gain over extended periods.
Three-year exposure window. The fraudulent activity ran from 2018 to 2021 — a span of roughly three years — before resulting in criminal charges. The duration shows how long insider misconduct can persist when access controls and billing anomaly detection are inadequate.
Medicare fraud carries federal criminal consequences. The conviction is a reminder that misuse of patient data in a billing context is not only a HIPAA enforcement matter but can constitute federal healthcare fraud, triggering prosecution by the Department of Justice independent of any OCR action.
Industry impact
Healthcare fraud schemes rooted in stolen patient records represent a significant and recurring threat to the Medicare program. The Department of Justice and HHS Office of Inspector General (OIG) have jointly prosecuted hundreds of home health fraud cases in recent years, with the home health sector consistently identified as a high-risk area in OIG Work Plans.
Insider threats are a particularly costly category of healthcare data incident. According to the Ponemon Institute's research on insider threats, incidents involving malicious insiders carry higher per-record costs and longer detection timelines than external attacks, in part because authorized users can move through systems without triggering standard perimeter defenses.
For small and independent home health agencies, the compliance risk is compounded by limited administrative oversight. A sole owner who also holds clinical access can operate with few checks on billing activity, creating structural conditions that make this type of fraud easier to sustain and harder to detect from the outside.
What this means for independent practices
- Audit billing activity against clinical documentation. Every Medicare claim should be traceable to a dated, signed clinical record. Practices should periodically verify that billed services correspond to documented encounters, particularly for home health visits. - Restrict record access by role and need. Staff access to patient records should be limited to the records required for their specific duties. Billing staff, clinical staff, and administrative staff should not share undifferentiated access to the full patient record system.
- Log and review who accesses patient records. Access logs should capture which user accounts retrieved which records and when. Periodic review of those logs — even manual spot-checks — can surface patterns inconsistent with patient care activity.
- Separate billing authority from clinical authority where possible. In small practices, the same individual often handles both clinical and billing functions. Where that overlap exists, a second reviewer — an external billing auditor or a practice manager — should periodically verify claim accuracy.
- Train staff to report irregularities without fear of retaliation. Employees who observe anomalous record access or billing activity should have a clear, confidential channel for reporting concerns. Many long-running fraud schemes are eventually surfaced by internal reports, not system alerts.
Practices that treat record access as a clinical necessity rather than an administrative convenience are better positioned to detect misuse early. Maintaining separation between the ability to access patient information and the authority to submit claims on that information is a structural discipline, not a technological one — it requires deliberate policy design and consistent enforcement regardless of practice size.
What would have prevented this
Role-based access controls (RBAC): Limiting each user's access to only the patient records relevant to their assigned duties would reduce the pool of records available for unauthorized use and create a smaller surface for insider misuse.
Automated billing anomaly detection: Claims-review tools that flag statistical outliers — unusually high visit volumes, billing for patients in implausible geographic locations, or claims lacking corresponding clinical documentation — can identify fraudulent patterns before they accumulate over years.
Audit logging with regular review: Maintaining detailed logs of which accounts accessed which patient records, and reviewing those logs on a defined schedule, creates accountability and makes sustained unauthorized access harder to conceal.
Segregation of duties in billing workflows: Requiring that claim submission and clinical documentation be completed and reviewed by different individuals — or audited by a third party — removes the unchecked control that makes single-operator fraud schemes viable.
Periodic external compliance audits: Independent review of billing records, access logs, and clinical documentation by a qualified third party gives small agencies a check that internal staff cannot credibly provide when the owner controls both clinical and administrative functions.