Medical File Anomalies India: 62 Parallel Checks per NSTP Case
Medical File Anomalies in India and the 27 Patterns Hiding in Every NSTP Case
Every NSTP file is a collection of stories. The proposal form tells one story. The discharge summary tells another. The lab reports tell a third. The prescriptions tell a fourth. When all these stories align, the file is clean. When they contradict, diverge, or contain elements that defy medical logic, the file contains anomalies.
Medical file anomalies in India are not rare occurrences that appear in occasional suspicious files. They are systematic patterns that appear across the NSTP pipeline with predictable frequency, following recognisable templates, and exploiting known gaps in the manual review process. The difference between an insurer that catches them and one that does not is whether the detection system can see all 27 anomaly patterns simultaneously.
India's health insurance ecosystem loses Rs 8,000 to 10,000 crore annually to fraud, waste, and abuse according to the 2025 BCG report, with approximately 2% of claims confirmed fraudulent and 8% in a grey zone. The IRDAI's Insurance Fraud Monitoring Framework 2025, effective April 2026, mandates predictive fraud architectures that catch these anomalies before policy issuance. The era of reactive, sample-based detection is ending.
What Are the 27 Anomaly Patterns and How Are They Organised?
The 27 anomaly patterns are organised into six dimensions: forensic (4 checks), clinical (10 checks), credential (2 checks), identity (3 checks), behavioural (2 checks), and fraud database (6 checks). Each dimension targets a different aspect of document integrity.
1. Forensic Dimension (4 Checks)
The forensic dimension examines the digital and physical properties of the documents themselves, independent of their medical content.
PDF metadata tampering: The creation software, timestamps, font stacks, and structural fingerprints of every document are analysed. Documents created in consumer software that should originate from hospital systems are flagged. This is the medical document tampering detection layer.
Inconsistent handwriting: Documents containing multiple handwriting styles on the same page, or handwriting inconsistent with the stated author, are flagged through handwriting pattern analysis.
Report on public holiday: Documents timestamped on national or state holidays from facilities that do not operate on those days are flagged as temporally impossible.
Investigation predates prescription: Investigation reports or test results dated before the prescription or order that initiated them violate the causation timeline.
2. Clinical Dimension (10 Checks)
The clinical dimension is the most extensive, covering the medical content of documents for logical consistency, clinical plausibility, and cross-document coherence.
Date sequence violations: Prescriptions before diagnoses, test results before sample collection, discharges before admissions. The date sequence anomaly check validates every temporal relationship across all documents.
Impossible lab values: Values that fall outside the range compatible with human physiology. The impossible lab values check validates every numerical parameter against clinically established reference ranges.
Conflicting diagnoses: One document declares "no history" while another references treatment. The conflicting diagnoses check compares every clinical assertion against every other assertion.
ICD-10 mismatch: The coded diagnosis does not match the clinical narrative. A code for hypertension with a narrative describing asthma indicates document assembly from mismatched sources.
Prescription without diagnosis: A medication is prescribed without any corresponding diagnosis documented in the file, suggesting the prescription is genuine while the suppressed diagnosis reveals a concealed condition.
Lab values vs. narrative: The numerical lab data contradicts the qualitative clinical description. "Sugar well controlled" with an HbA1c of 9.8%.
Clinician specialty mismatch: The treating physician's specialty does not match the condition or procedure documented. The specialty mismatch check verifies every credential against the document content.
Unusual referral: A referral pattern that does not follow standard clinical pathways, such as a direct referral from a GP to a super-specialist for a condition that should first be evaluated by a general specialist.
Treatment duration mismatch: The documented treatment duration is inconsistent with standard clinical protocols for the diagnosed condition.
Abnormal finding, no follow-up: A significant abnormal finding in one document with no corresponding follow-up documentation in the file. This check overlaps with the missing document engine functionality.
3. Credential Dimension (2 Checks)
Doctor credential mismatch: The signing doctor's Medical Council registration does not match the stated qualifications or does not correspond to the specialty required for the documented procedure.
Hospital registration failure: The hospital named on the document is not registered with the relevant state health department, has been deregistered, or appears on IRDAI blacklists. This is the hospital credential fraud detection layer.
4. Identity Dimension (3 Checks)
Address inconsistency: The applicant's address differs across documents in the file, or the treatment location is geographically inconsistent with the stated address.
Name spelling variations: The applicant's name is spelled differently across documents in ways that suggest identity manipulation rather than normal transliteration variance.
DOB discrepancy: The date of birth on the proposal form does not match the date of birth on one or more medical documents.
5. Behavioural Dimension (2 Checks)
Rushed application: The application and all medical documents are submitted within an unusually compressed timeline, suggesting pre-arrangement rather than organic medical evaluation.
Out-of-jurisdiction treatment: The applicant seeks treatment at a facility significantly distant from their residence with no referral or clinical justification.
6. Fraud Database Dimension (6 Checks)
IRDAI blacklisted hospital: The hospital on the document appears on IRDAI's dynamic blacklist of facilities involved in fraudulent activity.
Lab report reuse: The lab report format and template match previously identified fabrication templates in the system's database.
Prescription references absent tests: A prescription references test results or findings from tests that do not appear in the submitted file.
Identical narrative text: The clinical narrative in a document matches text from other applications, indicating copy-paste document forgery.
Additional fraud database checks include cross-referencing entities against known fraud network databases and monitoring for patterns associated with previously identified fraud rings.
27 checks. 6 dimensions. One comprehensive analysis. Under 3 minutes.
Visit InsurNest to learn how Underwriting Risk Intelligence helps insurers detect hidden NSTP risk before policy issuance.
Why Do Fraudulent Files Typically Contain Multiple Anomalies?
Fraudulent files typically contain 3-7 detectable anomalies because fabricating a complete, consistent medical file requires getting dozens of details right across multiple documents, and human fabricators inevitably make errors across multiple dimensions.
1. The Perfection Impossibility
Creating a fraud-proof medical file requires simultaneous expertise in clinical medicine, PDF technology, administrative processes, and regulatory requirements. No single fraudster possesses all four areas of expertise. The clinical content may be plausible, but the metadata betrays the creation tool. The dates may be consistent within each document, but they violate cross-document clinical logic. The credentials may be real, but they do not match the specialty.
2. Scale Degrades Quality
Fraud rings produce documents at volume. Quality control degrades as volume increases. The first few documents from a fabrication unit may be carefully crafted. By the fiftieth, shortcuts accumulate: templates are reused without modification, dates are assigned without checking clinical sequence, credentials are attached without verifying specialty alignment.
3. Cross-Dimensional Correlation
When anomalies appear across multiple dimensions, the probability of innocent explanation drops exponentially. A metadata flag alone might be a scanning artefact. A date anomaly alone might be a clerical error. A credential mismatch alone might be a rural practice reality. But metadata tampering plus date sequence violation plus credential mismatch creates a three-dimensional signal that virtually eliminates innocent explanations.
| Anomalies Detected | Fraud Probability | Recommended Action |
|---|---|---|
| 0 | Baseline risk | Standard underwriting |
| 1 | Low-moderate | Enhanced review of flagged area |
| 2 | Moderate-high | Senior underwriter review |
| 3-4 | High | Case hold, additional documentation |
| 5+ | Very high | Investigation referral |
How Does Anomaly Scoring and Aggregation Work?
The anomaly scoring system assigns individual severity scores to each detected anomaly and then aggregates them into a file-level score that accounts for the number, severity, and cross-dimensional correlation of all detected signals.
1. Individual Anomaly Scoring
Each anomaly type has a base severity score. A date sequence violation involving a prescription before a diagnosis scores higher than one involving a 1-day discrepancy in follow-up timing. An impossible lab value that is physiologically lethal scores higher than one that is merely implausible. This severity differentiation prevents low-confidence signals from dominating the assessment.
2. Cross-Dimensional Multiplier
When anomalies appear in multiple dimensions simultaneously, a correlation multiplier is applied. A forensic anomaly plus a clinical anomaly is more significant than two forensic anomalies, because cross-dimensional correlation eliminates more innocent explanations. The multiplier increases with each additional dimension involved.
3. File-Level Aggregation
Individual scored anomalies are aggregated into a single file-level anomaly score. This score determines the recommended action: standard review, enhanced scrutiny, case hold, or investigation referral. The aggregation formula weights both the total number of anomalies and their cross-dimensional spread.
4. Portfolio Contextualisation
The file-level score is contextualised against the portfolio. How does this case compare to the average anomaly profile? Does it share patterns with other flagged cases? Is it connected to entities associated with other flagged applications? This contextualisation connects individual case analysis to portfolio-level fraud ring detection.
What Does the Complete Anomaly Detection Workflow Look Like?
The complete anomaly detection workflow runs from file intake through analysis, scoring, decision brief generation, and audit trail documentation, integrating seamlessly into the existing underwriting process.
1. Automated Intake
The NSTP file is uploaded. All documents are immediately processed: OCR for text and value extraction, metadata extraction for forensic analysis, credential extraction for verification queries.
2. Parallel Analysis
All 27 anomaly checks execute simultaneously. The forensic layer does not wait for the clinical layer. The credential layer does not wait for the identity layer. Parallel execution enables the entire analysis to complete in under 3 minutes.
3. Scoring and Classification
Each detected anomaly is scored individually. Cross-dimensional correlations are computed. The file-level anomaly score is generated. The case is classified into the appropriate action category.
4. Decision Brief Generation
The underwriter decision brief is generated with all anomaly findings integrated alongside the 35 risk check results and missing document analysis. The brief provides a single-page summary that tells the underwriter exactly what to focus on.
5. Underwriter Review
The underwriter reviews the brief, examines flagged documents, and makes their decision informed by both AI analysis and their own medical expertise. The AI does not make the decision. It provides the evidence. The underwriter provides the judgment.
6. Audit Trail
Every check, every finding, every score, and every decision is recorded in the IRDAI audit trail. This trail satisfies regulatory requirements and creates defensible documentation for any subsequent claim disputes.
From file intake to decision brief. 62 checks. Under 3 minutes. Every case.
Visit InsurNest to learn how Underwriting Risk Intelligence helps insurers detect hidden NSTP risk before policy issuance.
What Is the Business Case for Comprehensive Anomaly Detection?
The business case rests on four pillars: fraud prevention savings, throughput multiplication, loss ratio improvement, and regulatory compliance, delivering a combined ROI of 15-25x the technology investment.
1. Fraud Prevention
Fraud detection rates improve from 60-75% under manual review to over 90% with comprehensive anomaly detection. The incremental fraudulent policies caught translate directly to avoided claims worth Rs 4-6 crore annually.
2. Throughput Multiplication
Underwriter capacity increases from 15-25 cases to 40-60 cases per day. Review time drops from 45-60 minutes to 8-12 minutes per case. NSTP backlogs are cleared faster, improving customer experience and reducing pipeline risk.
3. Loss Ratio Improvement
Health insurance loss ratio improvement of 4-8 percentage points is achievable through systematic fraud prevention at underwriting. For portfolios operating at 85-95% loss ratios, this improvement can mean the difference between portfolio loss and portfolio profitability.
4. Regulatory Compliance
The IRDAI 2025 framework mandates predictive fraud detection with documented audit trails. Comprehensive anomaly detection fulfils this mandate directly, creating the evidence base required for Fraud Monitoring Committee reporting and regulatory examination.
| Investment | Value |
|---|---|
| Technology cost | Rs 20-35 lakhs per year |
| Fraud prevention savings | Rs 4-6 crore per year |
| Throughput improvement | 2-3x cases per underwriter |
| Loss ratio improvement | 4-8 percentage points |
| ROI | 15-25x |
Frequently Asked Questions
What are medical file anomalies in health insurance?
Medical file anomalies are irregularities, inconsistencies, and suspicious patterns across the entire set of documents in a health insurance application file, spanning forensic, clinical, credential, identity, behavioural, and database dimensions that collectively indicate fabrication, tampering, or non-disclosure.
How many anomaly patterns does Underwriting Risk Intelligence check?
Underwriting Risk Intelligence checks 27 distinct anomaly patterns across six dimensions: 4 forensic checks, 10 clinical checks, 2 credential checks, 3 identity checks, 2 behavioural checks, and 6 fraud database checks, plus 35 additional risk checks for a total of 62.
Can a single anomaly confirm fraud?
A single anomaly rarely confirms fraud because innocent explanations may exist for individual irregularities. However, multiple anomalies across different dimensions create compound signals with exponentially higher fraud probability, with 3 or more signals typically warranting investigation.
Why do files contain multiple anomalies rather than just one?
Fabricating a complete medical file requires getting dozens of details right across multiple documents, dates, values, credentials, and narratives. Human fabricators inevitably make errors across multiple dimensions, meaning fraudulent files typically contain 3-7 detectable anomalies.
How does anomaly scoring work?
Each detected anomaly receives a severity score based on its type, clinical significance, and confidence level. Individual scores are aggregated into a file-level anomaly score that accounts for both the number of anomalies and their cross-dimensional correlation.
What is the difference between a risk signal and an anomaly signal?
Risk signals indicate elevated medical, lifestyle, or hereditary risk that affects pricing and acceptance decisions. Anomaly signals indicate potential fraud, fabrication, or manipulation of the documents themselves. Both are critical for accurate underwriting decisions.
How does Underwriting Risk Intelligence present anomaly findings to underwriters?
The system generates a structured Underwriter Decision Brief that lists every anomaly detected with specific document and page references, severity scores, and cross-dimensional correlations, enabling the underwriter to focus their review on the areas that require human judgment.
What ROI does comprehensive anomaly detection deliver?
Comprehensive anomaly detection delivers Rs 4-6 crore in annual savings against a technology cost of Rs 20-35 lakhs, through fraud prevention, throughput improvement from 15-25 to 40-60 cases per day, and loss ratio improvement of 4-8 percentage points.
Sources
- BCG: Rebuilding Trust - Combating Fraud, Waste, and Abuse in India's Health Insurance Ecosystem (2025)
- IRDAI Insurance Fraud Monitoring Framework Guidelines 2025
- Ankura: IRDAI 2025 Insurance Fraud Monitoring Framework Playbook
- India's Health Insurance Losing Rs 10,000 Crore a Year to Fraud
- University of Pretoria: PDF Tampering Detection Technique (2025)
