The fraud problem in commercial group health
Commercial group health and employee-benefit cover is a large and growing part of the Indian health-insurance market: corporates buy group mediclaim for their employees and dependants, and the claims volume across these programmes is substantial. It is also a part of the market with a persistent fraud and leakage problem. Industry estimates have long put fraud and abuse at a meaningful share of health-claims outgo, and for a corporate group programme that leakage shows up directly in the claims ratio, which feeds the renewal premium the employer pays. Fraud in group health is not a victimless curiosity; it raises the cost of cover for the employer and, ultimately, for the honest employees whose programme it is.
Group health fraud is distinctive because of the parties involved. The claim chain runs from the employee (and dependants) who use the cover, through the hospital or provider that delivers and bills the treatment, through the third-party administrator (TPA) that processes the claim, to the insurer that carries the risk. Fraud can originate at any point in this chain, and the most damaging fraud usually involves collusion across points, particularly between a claimant and a provider, which makes it harder to detect than a lone fraudulent claim. The cashless model, in which the hospital bills the insurer directly through the TPA, concentrates the fraud risk on the provider side, because the provider controls the diagnosis, the treatment record and the bill.
The traditional defences (manual scrutiny of claims by the TPA, rule-based checks, and investigation of individual suspicious claims) catch some fraud but miss the patterns that only become visible across many claims, many claimants and many providers. A single inflated bill may pass scrutiny; the pattern of one provider systematically inflating bills across hundreds of claims, or a ring of claimants and a provider colluding on phantom admissions, is invisible to claim-by-claim review. This is where AI-driven analytics changes the picture: by examining the whole population of claims, the relationships between the parties, and the patterns over time, it surfaces the organised and the systematic fraud that individual review cannot see. This post sets out the fraud typologies, how network and anomaly analytics flag them, the TPA and hospital-network dimension, what the NHCX exchange changes, and the explainability and false-positive discipline that has to govern acting on a flag.
The fraud typologies in group health claims
Effective fraud analytics starts from a clear picture of what the fraud actually looks like, because each typology leaves a different signature in the data. The principal typologies in commercial group health are several.
Inflated and fabricated billing
The most common provider-side fraud is bill inflation: charging for procedures, tests, consumables or room categories beyond what was clinically delivered, upcoding a treatment to a more expensive one, unbundling a single procedure into separately-billed components, or extending the length of stay on paper. Related to it is fabricated billing, where items that were never delivered appear on the bill. Because the cashless claim is built from the provider's own records and bill, this fraud lives in the gap between what was clinically necessary and delivered and what was billed, and it is detectable by comparing a provider's billing patterns against clinical norms and against its peers.
Impersonation and identity fraud
Impersonation is the use of a covered person's policy by someone not entitled to it: a non-member presenting as a covered employee or dependant, or treatment delivered to one person billed under another's cover. In a group programme with many members and dependants, identity fraud exploits the difficulty of verifying that the person treated is the person covered. It leaves signatures in mismatches between the patient's records and the covered member's profile, and in claims patterns inconsistent with the covered person's history.
Provider-side collusion
The most damaging typology is provider-side collusion, where the provider and the claimant (and sometimes an agent or a TPA-side actor) conspire. This includes kickback arrangements, the provider and claimant splitting the proceeds of an inflated or fabricated claim, and organised rings that run many fraudulent claims through a cooperating provider. Collusion is hard to detect on a single claim because the documentation is internally consistent (the provider has manufactured a coherent record), and it is the patterns of relationships across many claims that expose it.
Phantom admissions and treatment
Phantom admissions are claims for hospital stays and treatments that never happened, or that were unnecessary and staged to generate a claim: a patient admitted on paper but not genuinely treated, day-care procedures billed as inpatient stays, or admissions manufactured purely to trigger the cover. This typology is especially associated with certain providers and certain procedures, and it shows up in implausible admission patterns, durations and procedure mixes that deviate from clinical reality.
Why typology matters for detection
These typologies overlap and combine, and the organised fraud that does the most damage usually involves collusion across the chain rather than a lone bad actor. The point of cataloguing them is that each leaves a different data signature: bill inflation shows in billing patterns against peers, impersonation in identity mismatches, collusion in the network of relationships, phantom admissions in implausible clinical patterns. Analytics that knows the typologies can look for the signatures, which is far more powerful than scrutinising claims one at a time without a model of what fraud looks like.
How network and anomaly analytics flag fraud
AI fraud analytics works by examining the whole population of claims and the relationships between the parties, finding the patterns and the anomalies that individual review cannot, and two families of technique do most of the work: anomaly detection and network or graph analytics.
Anomaly detection
Anomaly detection identifies claims, providers, claimants and patterns that deviate from the norm in ways that warrant scrutiny. Rather than relying only on fixed rules, the analytics learns what normal looks like across the relevant dimensions (the typical billing for a procedure, the typical length of stay, the typical claim pattern for a member, the typical case mix for a provider) and flags the deviations: the provider whose average bill for a procedure runs well above its peers, the member whose claim frequency or pattern is implausible, the procedure mix that does not fit the clinical profile, the length of stay that is consistently inflated. Anomaly detection is good at surfacing the bill inflation and the phantom-admission typologies, because those show up as statistical deviations from clinical and peer norms.
Network and graph analytics
The technique that catches the organised, collusive fraud is network or graph analytics, which models the parties (claimants, providers, agents, TPAs, bank accounts, addresses, phone numbers) as nodes and the claims and relationships between them as links, then looks for the structures that signal collusion and rings. A ring of claimants all using the same provider, multiple claims routed to the same bank account, providers and claimants connected through shared identifiers, clusters of relationships that are too dense or too coincidental to be innocent: these are visible in the graph and invisible in claim-by-claim review. Graph analytics is what exposes provider-side collusion and organised fraud rings, because the fraud is in the relationships, not in any single claim, and the graph makes the relationships visible. A provider that sits at the centre of an implausibly dense cluster of high-value claims, connected to claimants who share identifiers and accounts, is a pattern a graph surfaces and a claim reviewer never would.
Combining the techniques across the population
The power comes from applying these techniques across the whole population and over time. Anomaly detection flags the individual deviations, graph analytics flags the suspicious structures, and together they prioritise the providers, claimants and claims that warrant investigation. The analytics does not adjudicate fraud; it surfaces and ranks the cases for human investigation, which is the right division of labour because a fraud determination has consequences and must be made by a person on the evidence. The analytics earns its place by directing the limited investigation capacity at the cases most likely to be fraudulent, and by catching the organised, systematic fraud that individual scrutiny misses entirely.
The TPA, the hospital network and the data dimension
Group health fraud analytics cannot be understood apart from the TPA and hospital-network structure through which group claims flow, because that structure shapes both where the fraud sits and where the data to detect it lives.
The TPA's position
Most group health claims are processed by a third-party administrator, which sits between the insurer and the hospitals, adjudicates the claims, manages the cashless authorisations and the hospital network, and holds the claims data. The TPA is therefore the natural place for much of the fraud analytics to operate, because it has the claims, the provider data and the network relationships. It is also a point in the chain where fraud can originate or be enabled, through collusion involving TPA-side actors, so the analytics has to be able to look at the TPA's own processing patterns as well as the providers and claimants. The relationship between the insurer and the TPA matters: the insurer carries the risk and the cost of the fraud, while the TPA processes the claims, so the incentives and the data-sharing between them have to be aligned for the analytics to work across the whole picture rather than within a single TPA's silo.
The hospital network and the provider view
The hospital network is where the provider-side fraud concentrates, and the provider view is central to the analytics. Building a profile of each provider, its billing patterns, its case mix, its length-of-stay patterns, its claim values against its peers, and its position in the network of claimants, is what surfaces the providers running systematic fraud. A provider that consistently bills above its peers, that sits at the centre of a dense claim network, or that shows implausible admission patterns is the kind of pattern the provider view exposes. The network management (empanelling providers, monitoring them, acting on the ones that show fraud signatures) is part of the defence, and the analytics feeds it by identifying the providers that warrant scrutiny, de-empanelment or investigation.
The data fragmentation problem
The persistent obstacle to group health fraud analytics has been data fragmentation. Claims data has historically sat in silos: each insurer and each TPA has its own data, providers use varied and often non-standard formats, and a fraud ring operating across multiple insurers or multiple TPAs is invisible to any single one of them. A provider running fraud through several insurers, or a claimant ring spread across programmes, can only be seen if the data is brought together, and the fragmentation has limited the analytics to what a single insurer or TPA can see in its own book. The fraud that crosses these boundaries (the same provider, the same ring, operating across the market) is exactly the organised fraud that does the most damage, and it is the hardest to detect from inside a single silo. This is the problem the health-claims data exchange is designed to address, which the next section takes up.
What fraud analytics means for the corporate buyer and the programme
Group health is bought by a corporate for its employees, and the fraud problem and its detection bear directly on the employer that pays for the programme, so the corporate HR and benefits buyer has a stake in how the analytics is run that is easy to overlook when the discussion stays between the insurer and the TPA.
Why the employer should care
Fraud and leakage feed the claims ratio of the group programme, and the claims ratio drives the renewal premium the employer pays. A programme bleeding through inflated bills, phantom admissions and provider collusion is a more expensive programme to renew, and the cost lands on the employer and, through the benefit design, on the employees. So the corporate buyer has a direct financial interest in the insurer and the TPA controlling the fraud effectively, and a benefits buyer evaluating insurers and TPAs should ask what fraud-analytics capability sits behind the programme, because a partner that controls leakage well protects the renewal cost. At the same time, the employer has an equally direct interest in genuine claims being paid promptly and fairly, because the group programme is an employee benefit and a member whose legitimate claim is delayed or wrongly denied on a fraud flag is an employee whose trust in the benefit, and in the employer, is damaged. The corporate buyer therefore sits between two concerns: control the fraud that raises the cost, and protect the honest member from being caught in the fraud net.
The balance the buyer should look for
The right programme is one that catches the organised, systematic fraud (the colluding providers, the rings, the phantom admissions) while paying the genuine claims of honest members promptly, and the corporate buyer should look for evidence that both sides of this are managed:
- Effective detection of organised fraud, through the network and anomaly analytics that surface the systematic abuse, so the leakage that raises the renewal cost is controlled.
- Disciplined handling of flagged claims, with investigation and explainable evidence before any denial, so honest members are not caught by false positives and have their legitimate claims paid.
- A managed false-positive rate, so the fraud effort does not become a tax on honest claimants and a source of friction in the benefit.
- Transparency to the corporate buyer on the claims experience and the fraud control, so the employer can see how its programme is performing and where the leakage is.
The provider-network dimension for the buyer
The corporate buyer also has an interest in the hospital network behind the programme, because the provider network is where much of the fraud concentrates and also where the member's experience is shaped. A network that is well managed, with the fraud-prone providers identified and acted on, both controls the leakage and protects the member from the providers most likely to inflate or fabricate. The buyer choosing a programme is, in part, choosing the network and the network management that comes with it, and the fraud-analytics capability that feeds the network management is part of what distinguishes a well-run programme from a poorly-run one. For a large corporate with a substantial group programme, the conversation with the insurer and the TPA about fraud control, network management and the protection of honest members is a legitimate part of the procurement and the renewal, not a back-office detail.
NHCX, explainability and acting on a flag
Two developments shape how group health fraud analytics matures: the National Health Claims Exchange (NHCX), which changes the data picture, and the explainability and false-positive discipline that has to govern acting on a flagged claim.
What the NHCX changes
The National Health Claims Exchange (NHCX), built under the Ayushman Bharat Digital Mission and supported by IRDAI and the National Health Authority, is a digital exchange that standardises and routes health-insurance claims between providers, insurers and TPAs on a common protocol. By standardising the claims data and the exchange of it, the NHCX addresses part of the fragmentation problem: claims flow in a structured, consistent format rather than in the varied formats that made cross-party analytics hard, and the standardisation makes the data more amenable to the analytics. As adoption grows, a more standardised and connected claims-data environment improves the raw material that fraud analytics depends on, and it raises the prospect of detecting patterns that cross insurers and TPAs, which is where the organised fraud hides. The NHCX is infrastructure, not a fraud tool, but by improving the standardisation and the flow of claims data it strengthens the foundation on which fraud analytics is built, and an insurer or TPA building its analytics should plan for the NHCX-standardised data environment rather than the fragmented one.
Explainability before denying a claim
Flagging a claim as suspicious is not the same as proving it fraudulent, and the gap between the two is where the discipline matters. Before an insurer denies a claim, declines to pay, or acts against a member or a provider on the basis of an analytics flag, it has to have explainable grounds: the analytics has to produce, not just a score, but the reasons a claim or a provider was flagged, so the insurer can examine the evidence, investigate, and make a defensible decision. A fraud determination has serious consequences for the member, the provider and the insurer, and an insurer cannot deny a genuine claim or de-empanel a provider on an unexplained black-box output. The analytics must surface the evidence (the billing pattern, the network structure, the anomaly) so that a human investigator can assess it, and the decision to deny or to act must rest on that investigated evidence with a documented basis, not on the score alone. This is both a fairness requirement and a protection for the insurer, because a wrongly denied claim is a regulatory and reputational exposure, and IRDAI's claim-settlement and policyholder-protection framework requires that claims be handled fairly and that a repudiation be justified.
Managing false positives
The other side of acting on a flag is the false positive: a legitimate claim or an honest provider flagged by the analytics. Because the analytics surfaces deviations and unusual patterns, and because genuine claims can be unusual, a flag is a reason to investigate, not a conclusion of fraud. A high false-positive rate that leads to honest claims being delayed or denied harms members, damages the corporate client relationship, and exposes the insurer, so the analytics has to be tuned to surface the cases most likely to be fraudulent without sweeping up too many genuine ones, and the investigation step has to clear the false positives before any adverse action. The discipline is to treat the analytics as a prioritisation and evidence tool that directs investigation, to keep a human investigator and a documented decision between the flag and the action, and to manage the false-positive rate so the fraud effort does not become a tax on honest claimants. The goal is to catch the organised, systematic fraud that leaks group-health programmes while paying the genuine claims promptly and fairly.
Fraud analytics works on the claims data, but the entitlement it is tested against (what the group policy actually covers, the sub-limits, the room-rent caps, the exclusions and the conditions) lives in the policy wording, and a claim cannot be properly assessed as legitimate or fraudulent without reference to it. Sarvada gives commercial insurance teams structured, searchable access to insurer policy wordings, so the people building and running group-health fraud analytics can ground the assessment in the actual coverage terms the claims are tested against. Request Access to connect your group-health claims and fraud work to the real wording detail of the cover.