Month: May 2019

On May 2, the United States Attorney’s Office for the District of Massachusetts announced that a federal jury in Boston convicted John Kapoor, the founder and former Executive Chairman of Insys Therapeutics, and four other former Insys executives on racketeering charges, “in connection with bribing medical practitioners to prescribe Subsys, a highly-addictive sublingual fentanyl spray intended for cancer patients experiencing breakthrough pain, and for defrauding Medicare and private insurance carriers.”

According to the United States Attorney’s Office, from May 2012 to December 2015, the five defendants conspired to bribe health-care practitioners in order to induce them to prescribe Subsys to patients,  often when that spray was medically unnecessary:

The defendants used pharmacy data to identify practitioners who either prescribed unusually high volumes of rapid-onset opioids, or had demonstrated a capacity to do so, and bribed and provided kickbacks to the practitioners to increase the number of new Subsys prescriptions, and to increase the dosage and number of units of Subsys. The defendants also measured the success of their criminal enterprise by comparing the net revenue earned from targeted practitioners with the total value of bribes and kickbacks paid. The defendants used this information to reduce or eliminate bribes paid to practitioners who failed to meet satisfactory prescribing requirements, which they determined to be the net revenue equal to at least twice the amount of bribes paid to the practitioner.

The United States Attorney’s Office also stated that Insys’s use of bribes and kickbacks included the use of so-called “speaker programs” that purportedly were “intended to increase brand awareness of Subsys through peer-to-peer educational lunches and dinners.”  Those programs, however, “were used as a vehicle to pay bribes and kickbacks to targeted practitioners in exchange for increased Subsys prescriptions and increased dosage,” and in most instances, those programs were shams.  In addition, the defendants “conspired to mislead and defraud health insurance providers who were reluctant to approve payment for the drug when it was prescribed for non-cancer patients.”

The charge of Racketeering Influenced and Corrupt Organizations (RICO) conspiracy, of which all five defendants were convicted, has a maximum sentence of 20 years’ imprisonment, three years of supervised release, and a fine of $250,000 or twice the amount of pecuniary gain or loss.  As of yesterday, no date had been set for sentencing of any of the defendants.

Note:  Even in the welter of ongoing opioid-related civil and criminal litigation across the country, this prosecution stands out as a significant victory for the Department of Justice and the U.S. Attorney’s Office in Boston.  While much more attention had been focused in recent weeks on last month’s Justice Department’s indictment of pharma company Indivior for alleged fraudulent marketing of its Suboxone film, the trial of the Insys executives was a major test of the Department’s credibility in aggressively pursuing individuals and companies as part of the Trump Administration’s commitment to combating the opioid crisis.  In fact, in its press release about the convictions, the U.S. Attorney’s Office touted the result as the “[f]irst successful prosecution of top pharmaceutical executives for crimes related to the prescribing of opioids.”

The trial, which lasted ten weeks, was notable in two other respects.  First, the prosecution’s case in chief included trial testimony by two other high-level Insys executives — Michael Babich, Insys’s former Chief Executive Officer and President, and Alec Burlakoff, Insys’s former Vice President of Sales – who had previously pleaded guilty in the case.  Burlakoff became a focal point in Kapoor’s defense, as his attorney, Beth Wilkinson, “sought to shift the blame onto” Burlakoff and “said Burlakoff was cutting side deals with doctors on his own and lied when he testified against Kapoor because he’s trying to save himself.”

Second, the jury deliberations lasted 15 days.  Although some defense attorneys may become more confident in the prospects of acquittal, or at least a hung jury, as deliberations lengthen, lengthy deliberations in a criminal case do not automatically translate to either conviction or acquittal.  As former United States Attorney Harry Litman remarked about the deliberations in the 2018 federal prosecution of Paul Manafort, “You could speculate that there’s some dynamic involving a holdout, but the better fit with the facts is that they’re just moving through methodically and this is how long it would take.”  Nonetheless, both the prosecution and the defense could be forgiven for having many anxious moments during the deliberations, including second-guessing themselves about particular testimony or documents in evidence.

Although it is too early to make firm predictions, these convictions are likely to have a substantial influence in the coming weeks on the thinking of other pharma companies that are currently under federal criminal investigation or indictment in opioid-related cases.  One news organization speculated that Kapoor and his co-defendants, as first-time offenders, would be sentenced to only a fraction of the 20 year maximum.  On the other hand, the duration and pervasiveness of the defendants’ scheme, as well as their senior positions at Insys and respective roles on carrying out the scheme, could militate against low sentences across the board.

On April 29, the Australian Competition & Consumer Commission (ACCC) issued its report for 2018 on scams activity, Targeting Scams.  Key points in the report included the following:

• In 2018, the ACCC’s Scamwatch service —  which provides information to consumers and small businesses about how to recognize, avoid, and report scams — received a record 177,516 scam reports reflecting more than AU $107 million in losses. That total represents an 18 percent increase in reporting since 2017.   Among all categories of scams reported to Scamwatch, investment scams (AU $38,846,635 in losses) and dating and romance scams (AU $24,648,024 in losses) remained the most financially harmful.
• When the Scamwatch reports are combined with reports made to the Australian Cybercrime Online Reporting Network (ACORN) and other state and territory government agencies, a total of more than 378,000 reports received reflected losses of AU $489 million. That total represents a 44 percent increase over the aggregate AU $340 million in losses reported in 2017.
• Among all victims reporting scam losses, the age cohorts with the largest losses were 55-64 (26 percent), 65+ (22 percent), 45-54 (20 percent), 35-44 (15 percent), and 25-34 (13 percent). Men filed fewer reports than women (79,600 versus 94,200), but reported more cumulative losses (AU $56.9 million versus AU $48.8 million).
• Significant trends in types of scams included:
  • Australian Tax Office (ATO) Scams: A total of more than 137,000 reports to the ATO and Scamwatch involved these scams, which are similar to online scams in which criminals claims to be with the U.S. Internal Revenue Service.
  • “Threats to Life, Arrest or Other” Scams: In 2018, reports and losses attributed to scammers threatening arrest, loss of benefits, and deportation increased to more than 19,000 reports, with AU $3.3 million in reported losses. This total represents a 45 percent increase over 2017.  The ACCC noted that “[t]he significant increase in ATO impersonation scams in late 2018 is a major contributor to this increase.”
  • False Billing Scams: Losses to false-billing scams increased by 97 per cent to AU $5.5 million. The ACCC noted that a large portion of these losses can be attributed to business email compromise (BEC) scams.
  • Remote Access Scams: These scams – which the ACCC described as {“[a] more elaborate version of the classic tech support scam in which scammers impersonate the police and ask for access to a victim’s computer to catch scammers” — resulted in filing of more than 11,300 reports to Scamwatch, with AU $4.7 million in reported losses (a 97 percent increase over 2017).
  • Cryptocurrencies in Scams: The ACCC stated there were 674 reports in which cryptocurrency was used to pay the scammers, with reported losses of AU $6.1 million. Those losses reflect a 190 percent increase over the AU $2.1 million losses reported in 2017.
  • iTunes and Google Play Cards in Scams: The ACCC reported an increase in losses from scams in which scammers requested payment through iTunes cards, with AU $3.1 million in reported losses. Scammers requesting payment through Google Play cards increased dramatically during 2018, as losses rose from AU $1,250 reported in July to AU $179,000 in December.
  • Scams Reported by Businesses: Businesses reported 5,846 scams, with AU $7.2 million in losses. BEC losses reported to Scamwatch totaled more than AU $3.8 million. When combined with reports to ACORN, losses to BEC scams exceeded AU $60 million. That total represents a 170 percent increase over the 2017 combined losses of $22.1 million in reported losses.  The ACCC specifically made reference to a number of reports indicating that BEC scammers were specifically targeting real estate deals, noting that “[t]he real estate sector is particularly attractive for scammers because of these large lump sum transfers between parties without a history of previous interaction.”

Note: Financial-crimes risk and compliance teams at companies with operations in Australia should take note of the ACCC’s findings and consider sharing information from the report with executives and employees based in Australia.  In addition, risk and compliance teams may find it useful to compare the trend information in the ACCC’s 2018 report and the FBI’s Internet Crime Complaint Center’s 2018 report.

On April 22, the Federal Bureau of Investigation (FBI) released its Internet Crime Complaint Center (IC3) Internet Crime Report for 2018.  The IC3, which was established in 2000, provides the public with an online reporting mechanism “to submit information to the FBI concerning suspected Internet-facilitated criminal activity, and to develop effective alliances with industry partners.”  The IC3 staff analyzes and disseminates information about online crime for investigative and intelligence purposes, for law enforcement, and for public awareness.

The report stated that in 2018, the IC3 received 351,937 complaints (the highest annual total since 2014), which reflected reported victim losses of more than $2.7 billion (nearly twice the 2017 victim losses of more than $1.4 billion).  “Hot topics” in the Report included the following:

• Business Email Compromise(BEC)/E-mail Account Compromise (EAC): BEC/EAC scams target both businesses and individuals performing wire transfer payment, and involve compromises of “legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.” In 2018, the IC3 reported that it received 20,373 BEC/EAC complaints with adjusted losses of more than $1.297 billion. In particular, it noted that there was an increase in the number of BEC/EAC complaints requesting that victims purchase gift cards. In those schemes, victims “received a spoofed email, a spoofed phone call or a spoofed text from a person in authority requesting the victim purchase multiple gift cards for either personal or business reasons.”
• Payroll Diversion: Payroll diversion schemes involve targeting of employees

through phishing emails designed to capture an employee’s login credentials. Once the cybercriminal has obtained an employee’s credentials, the credentials are used to access the employee’s payroll account. The cybercriminal will typically add rules to the employee’s account preventing the employee from receiving alerts regarding direct deposit changes. The cybercriminal will then change the direct deposit information, redirecting the payroll funds to an account controlled by the cybercriminal, which is often a prepaid card. Institutions most affected by this scam have been education, healthcare, and commercial airway transportation.

In 2018, the IC3 reported receiving approximately 100 payroll-diversion complaints with a combined reported loss of $100 million.

• Tech Support Fraud: Tech support fraud schemes involve contacts from individuals falsely claiming that victims need their assistance to resolve problems with the victims’ computers. The IC3 stated that tech support fraud “continues to be a growing problem,” as it received 14,408 tech support-related complaints in 2018 from victims in 48 countries, with reported losses of nearly $39 million (a 161 percent increase in losses from 2017). The IC3 also observed that that the majority of tech-support fraud victims reported to be more than 60 years old.
• Extortion: The IC3 stated that in 2018, it received 51,146 extortion-related complaints, with adjusted losses of more than $83 million (a 242 percent increase in extortion-related complaints since 2017).  The types of online extortion schemes that victims reported included:
  • Denial of Service attacks.
  • “Hitman” schemes (i.e., emails threatening to kill recipients and/or their families unless a fee is paid).
  • “Sextortion” (i.e., emails threatening “to distribute an individual’s private and sensitive material unless the individual provides the perpetrator images of a sexual nature, sexual favors, or money”). The IC3 reported that the majority of extortion complaints it received in 2018 “were part of a sextortion campaign in which victims received an email threatening to send a pornographic video of them or other compromising information to family, friends, coworkers, or social network contacts if a ransom was not paid.”
  • Government impersonation schemes.
  • Loan schemes.
  • High-profile data breaches..

The IC3 also commented that cybercriminals conducting extortion schemes commonly demand virtual currency as the payment mechanism to add an additional layer of anonymity.

After BEC/EAC schemes, the next highest reported losses from online schemes included confidence fraud/romance scams ($362,500,761), investment schemes ($252,955,320), nonpayment/nondelivery ($183,826,809), and real estate ($149,458,114).  With regard to ransomware schemes, which have received substantial publicity in recent months for targeting of prominent businesses, the IC3 stated only $3,621,857 in losses, but cautioned that it

does not include estimates of lost business, time, wages, files, equipment, or any third party remediation services acquired by a victim. In some cases victims do not report any loss amount to the FBI, thereby creating an artificially low ransomware loss rate. Lastly, the number only represents what victims report to the FBI via the IC3 and does not account for victim direct reporting to FBI field offices/agents.

Note:  While this IC3 report is based on voluntary reports form the public rather than a random survey of businesses or the general population, the volumes of complaints and reported losses are substantial enough for companies and government agencies to warrant sharing with their information-security and compliance teams.  Selected data from the report can also be included in cybersecurity-related training courses and materials.