Summary Note of Panel Discussion – 5 June 2025
Panellists: Gaon Hart, NHS Counter Fraud Authority; Emma Ruane, Partner, Peters & Peters LLP; Nick Vamos, Partner, Peters & Peters LLP; Ivan Heard, Partner EY
Introduction
Fraud is not something one expects to find within the NHS, an institution dedicated to the greater good with employees and suppliers committed to ensuring the best value for money. However, despite stringent processes in place to secure value for money, fraud does occur, and detecting and preventing it has always been challenging. The NHS has been fighting fraud for a number of years through the NHS Counter Fraud Authority (NHSCFA), and now investigations are being proactively enhanced with the use of AI to identify fraud and in their response to the new Failure to Prevent Fraud offence.
Why Does Fraud Occur in the NHS?
Emergency procurement situations often lead to vulnerabilities. Lifesaving medicines and machines may be required urgently. This urgency can create a tension between maintaining high standards in best practices (for example obtaining multiple quotes and conducting thorough due diligence) when addressing the pressing need to purchase the required product. If a machine essential for saving lives is stolen, it must be replaced immediately to prevent fatalities. The hospital may find itself in the situation of having to purchase a replacement before it has had time to complete appropriate due diligence on the vendor.
Internal fraud by employees, although rare, does happen due to the size of the organisation and the fraud risk is around £39 million annually. One example of this is a nurse working for multiple trusts full time, without notice and earning multiple salaries.
Also of note is that the evolution of technology enables fraud – for example the use of generative AI to falsify an invoice or a website to create perceived legitimacy. This behaviour is particularly prevalent with organised crime groups.
Detecting Fraud in the NHS
Project Athena
Project Athena developed by the NHSCFA, utilizes AI to detect large-scale fraud by proactively identifying risks early, enabling early prevention or enforcement measures. Data is key to identifying where there may be fraud. Project Athena’s data science team flags suspicious activity which can then be interpreted by fraud specialists who determine whether it indicates fraudulent intent or results from poor policy or practice.
Knowing where to look for fraud in a cost-effective way has always been a challenge but using AI as a detection tool has made this possible. The complexities associated with large-scale data, particularly data managed by the NHS, present significant challenges. However, the AI technology employed by Project Athena can address such issues effectively.
Using AI
By extracting, refining and analysing data from multiple sources including data captured within the NHS, Project Athena uncovers valuable insights and detects patterns that may indicate fraud. It spots vulnerabilities, actively monitors changes in behaviour and enables swift, evidence-based interventions. Project Athena has elevated fraud detection in the NHS by building on an analytical approach, using AI to identify potential fraud patterns and outliers in healthcare data to improve accuracy and focus on the biggest risks. For example, focusing on identifying repeated procedures for the same patient within short timeframes that may indicate potential double- counting or billing manipulation. Its approach means that it can lead to more targeted investigations or the introduction of preventative action and therefore is more cost-effective.
Entity Resolution is a cutting-edge technique that can be used in complex data such as healthcare data. It identifies and links records across different data sources that relate to the same real-world entity. By merging duplicate or related records that may not share unique identifiers, it can improve data quality and help to identify fraud that had previously gone unnoticed. For example, graph analytics can highlight relationships that should not exist or were previously hidden and therefore identify conflicts not declared or collusion between two entities. AI also addresses more sophisticated fraud typologies: as fraudsters become more innovative, this will be crucial in an organisation as complex as the NHS where many different types of fraud can occur.
Improving Data Insights
Using AI allows for the collation of more insightful data. This allows for more accurate identification of a person’s interactions and actions by drawing on a myriad of data sources.
Across different sectors, there has been much testing of AI outcomes to validate the accuracy of AI tools. Tests to compare the predictions of AI against the real-world outcome have been conducted and produce the same results.
To drive greater use of AI across the wider public sector, the government has conducted trials of the use of M365 Co-pilot in delivering investigations. These trials have been found to improve the efficiency of investigations by resulting in a reduction in the manual time required so quicker outcomes can be reached by the fraud investigation team.
Having access to data is a necessity to enable the detection of fraud through AI. However, data concerns arise in different areas.
Data Quality
The quality of data is an issue and there is an expectation that data must be perfect before you can use data techniques, however, data will never be perfect. Imperfect data is not a reason to not use AI tools; technology has evolved to prove effective despite imperfect data.
Data Privacy
When collecting data, authorities must adhere to legal and privacy regulations. This is not a barrier to sharing or using data if it is for the right reason, used appropriately and under proper conditions, as guided by the interpretation of the regulations.
New Failure to Prevent Fraud (FTPF) Legislation
As well as AI, the NHSCFA is also responding to the new FTPF legislation. The key tenets of the new offence are that it applies to large organisations which are liable to prosecution if they or their clients derive a benefit from failing to prevent fraud committed on their behalf by an associated person. An employee, agent or a subsidiary of the organisation is automatically an associated person. A party who provides services for or on behalf of the organisation is also an associated person while providing those services. It is a defence for an organisation to show that it had reasonable procedures in place to prevent fraud.
The Home Office released guidance in 2024 on the kinds of procedures organisations should put in place to prevent persons associated with them committing fraud. The guidance is neither exhaustive nor binding, and what is “reasonable” will always be fact specific. The guidance is based on six principles:
- Top-level commitment
- Proportionate risk-based prevention procedures
- Communication (including training)
- Risk assessment
- Due diligence
- Monitoring and review
How the NHS is responding to FTPF legislation
Whilst the NHSCFA does not currently meet the threshold of a ‘large organisation,’ it is still implementing the requirements under the recently published Home Office guidance as good practice and is assisting the Local Counter Fraud Specialists (LCFSs). The NHSCFA is proactively working with the Home Office Policy Team in respect of the offence and is leading by example by undertaking an advisory role across the NHS.
An internal Enterprise Fraud Risk Assessment (EFRA) has been conducted to identify key thematic fraud risk areas, which include ‘outward’ fraud. The findings of the EFRA inform the Counter Fraud Action Plan (CFAP) to ensure the NHSCFA has risk-based and proportionate fraud prevention measures in place. This includes enhanced vetting procedures for employees. An organisation the size of the NHS has to ensure that third parties providing services on its behalf, including small ones, comply with the new requirements of FTPF.
Enforcement of FTPF
The new legislation comes into effect on 1 September 2025. The FTPF guidance issued by the Home Office is high-level in terms of what organisations would need to demonstrate with respect to reasonable procedures. The SFO will take a leading role in enforcement and the expectation is that the SFO, as well as the Crown Prosecution Service will want to start prosecuting organisations as soon as possible. The rulings in these cases will offer organisations clearer guidance on what they need to demonstrate to have a defence of reasonable procedures.
Whistleblowing
One of the ways in which potential cases for the SFO and the Crown Prosecution Service to investigate and prosecute may come to light is an organisation self-reporting. For an organisation to do this, whistleblowing is a key mechanism by which potential frauds will come to its attention. Rewarding whistleblowers for exposing fraud, as in the US, is one mechanism that could be utilised although it has its detractors: it may incentivize malicious claims and undermine the quality of evidence. An alternative or complementary approach is to offer whistleblowers better protection when they do raise a claim to encourage them to have the confidence to come forward.
Self-reporting for an organisation also carries its own risks for that organisation. If an organisation self-reports and then suffers a reduction in its share price due to concerns about reputation and future financial viability, investors that have suffered a loss may make a claim on the basis that the organisation had known that there had been a fraud committed.
Conclusion
The integration of AI and the implementation of new legislation represent significant strides in the NHS’s ongoing battle against fraud. By leveraging advanced technologies and adhering to stringent legal frameworks, the NHSCFA is setting a precedent for other organisations to follow. As the landscape of fraud continues to evolve, so too must the strategies employed to combat it, ensuring that resources intended for the greater good are protected and utilized effectively.
Emma Ruane
Emma Ruane is a Partner at Peters & Peters Solicitors LLP, specialising in high-value, multi-jurisdictional civil fraud and competition litigation. With over a decade of experience in civil and commercial disputes, Emma has developed significant expertise in navigating complex legal matters, often with an international dimension. A notable achievement in her career is her role in representing the Republic of Mozambique in the widely publicised “tuna bonds litigation,” which The Lawyer magazine described as featuring “one of the weightiest line-ups” in its 2023 top 20 cases of the year, involving around 30 parties and no fewer than 14 King’s Counsel.
Nick Vamos
Nick Vamos is a Partner and Head of Business Crime at Peters & Peters Solicitors LLP, bringing over 20 years of experience in criminal law, particularly in international, high-profile, and sensitive matters. Prior to joining the firm in 2017, Nick held senior positions at the Crown Prosecution Service, including Head of Special Crime, Head of Extradition, and Head of the UK Central Authority for the Home Office. He also served as the UK Liaison Prosecutor in Washington, D.C., where he worked closely with the U.S. Department of Justice on UK/US investigations.
Gaon Hart
Gaon Hart is a seasoned qualified lawyer and compliance architect, with experience spanning government prosecution, global financial institutions, and public sector governance. He possesses deep expertise in fraud prevention, investigation, and prosecution, having led high-profile cases for the Crown Prosecution Service and advised institutions on fraud risk, regulatory strategy, and legal integrity. Gaon has played a pivotal role in shaping national counter-fraud frameworks and developing globally scalable compliance systems that address both opportunistic and systemic fraud. With a strong emphasis on prevention over enforcement, his work is grounded in ethics and social justice, making him a trusted advisor across both public and private sectors.
Ivan Heard
Ivan Heard is a Partner in EY’s Financial Crime & Forensics practice, based in London. With over a decade of experience, he specialises in fraud investigations, forensic data analytics, and financial crime compliance, and has a proven track record in delivering financial crime transformation programmes within the banking sector. Before rejoining EY in 2024, Ivan was the Global Head of Fraud Solutions at Quantexa and previously worked at the UK’s Serious Fraud Office. A Chartered Accountant and Certified Fraud Examiner, Ivan combines deep investigative expertise with advanced analytics to assist clients in detecting, preventing, and responding to complex financial misconduct.