Yet Again, a “Sophisticated” Fraud Hits the NHS

The UK’s National Health Service has for years been a “good” source of Bad Buying fraud and corruption stories.  There are several reasons for that. Firstly, it is huge organisation, employing some 1.3 million people. Secondly, it actually has a pretty good counter-fraud unit, and when fraudsters are discovered, they are often prosecuted, so the news becomes public domain, whereas private sector firms often hush up embarrassing cases. But it has to be said – the cases I’ve seen over the years often also suggest that too many NHS organisations have very weak policies and processes around procurement and payments.

The latest case reported in the media recently saw Thomas Elrick, 56, jailed for 3 years and 8 months.  He was assistant managing director for planned and unscheduled care at Harrow Clinical Commissioning Group (CCG) where he had the authority to approve invoices up to £50,000. That organisation is a purchaser rather than a direct provider of healthcare – so it buys services from providers on behalf of the local citizens. 

Elrick created a company, Tree of Andre Therapy Services Limited, using the name of his husband (who knew nothing about it) as the owner, and invoiced the Trust for services that were never provided. Between August 2018 and December 2020 he authorised payments totalling £564,484. To cover his tracks, he also sent an email from the account of his dead wife which claimed to show details of patients the firm had “treated”.

Elrick spent over £100,000 on holidays to Dubai, Hong Kong, the Maldives, Singapore and Switzerland, and also spent just under half a million on shopping, with Amazon, Apple and David Lloyd gyms. But eventually a smart colleague decided to look up the Care Quality Commission accreditation for this firm and found of course that it did not have one, and then the connection to Elrick was found.

There is an interesting angle here in terms of his response. In a statement after he was sentenced, Elrick said “I wish I could turn back the clock but I know that I cannot and I sincerely apologise…  I am not a bad person. I believe that I am fundamentally a good person who made bad decisions, for which I take sole responsibility.” 

Self-delusion is an amazing thing, isn’t it?  I stole half a million from the NHS but I am “fundamentally a good person”.  The mind of a fraudster is often interesting, I suspect.   

But we have to ask how on earth this fraud was possible?  In my Bad Buying book, I give seven key anti-fraud precautions every organisation should follow and this case study and organisation broke several of them. There was no check on the onboarding of a substantial new supplier, which had no trading record, no CCG listing and a conflict of interest in the ownership (although that might not have been easily spotted). There was no check apparently that services paid for were actually received; and of course most fundamentally one person could conduct the whole pseudo-procurement process and authorise payment of large invoices without anyone else being involved or approving the spend. “Separation of duties” and all that.

This was not a sophisticated fraud. It was enabled by an incredibly weak process that was wide open for exploitation by anyone with a modicum of intelligence (and a lack of morals).  Personally, I would fire the CFO and the Procurement Director at the Trust for allowing this money to be stolen so easily.  But this is the case in so many organisations and so often – basic precautions against fraud are simply not put in place. Is it ignorance, laziness, or maybe a management team that wants to leave the door open just in case they want to do something dodgy themselves? Who knows.