This is a composite case based on patterns I have seen in family-run healthcare practices.
This case came to me through the practice’s CPA. Revenue had grown at the medical spa for three years while margins kept declining. Cost increases did not explain the trend, and refund volume climbed each year. The CPA told the owner the numbers needed a forensic review, and the owner called me. What I found was a textbook example of refund fraud in a medical spa and how it bypasses standard bookkeeping and bank reconciliation.
The practice was a family-run medical spa in a major metro market. The owner was the physician running it. His wife handled day-to-day operations on site. The practice also employed two licensed estheticians who were also nurse practitioners, and they handled the majority of patient appointments. Their adult daughter worked at the front desk and had been there since the practice opened. His mother handled the bookkeeping twenty hours a week. The arrangement had been in place for six years.
The CPA’s instinct on the referral was right.
What the Books Showed
Bank statements showed steady deposit volume with no obvious anomalies. Square deposits matched the daily sales reports, QuickBooks reconciled cleanly each month, and the CPA’s annual review found nothing material on the income statement. None of that surprised me at this stage of the engagement. Bank-level reconciliation only confirms the totals that made it into the report, and the report came from the same person processing the refunds. The details I needed were sitting in the scheduling system and the transaction-level payment records.
Forensic accounting for medical spas starts at the transaction level, not the bank level. The same applies to forensic accounting for healthcare practices across the board.
I asked for three data pulls: scheduling exports for the trailing 90 days, bank deposits for the same window, and patient payment records broken out by transaction.
What the Data Revealed
The scheduling system recorded 1,740 completed appointments in the 90-day window. The payment receipts supported about 1,500 visits at the practice’s average ticket. The shortfall came to 240 visits inside three months. At an average ticket of $300, the unaccounted activity totaled near $72,000 for the 90-day window.
For the second check, I cross-referenced the new patient intake records against payments. Seven patients showed up with intake forms, services rendered, and no payment record. Another nineteen patients showed completed visits and refunds processed within 48 hours of payment.
For the third check, I pulled ten deposit dates and matched appointments to charges, refunds, and voids. The deposit math did not work on six of the ten dates. Refunds had been manually keyed to a card that was not the original payment instrument.
The card belonged to the daughter at the front desk.
How Refund Fraud Happens in Medical Practices
The owner had not reviewed a refund log in four years. The bookkeeper, his mother, had reconciled the bank without ever cross-referencing refunds against patient records. The daughter handled intake, took payments, processed refunds, and closed out the daily batch.
One person controlled intake, payments, refunds, and the daily close. No second set of eyes anywhere in the workflow.
Once the pattern was clear from the 90-day sample, I pulled every refund processed during the four-year window. I flagged each one routed to a non-original card or processed without a matching cancellation in the scheduling system. The full review produced the documented loss figure.
The total documented loss across the four-year window was approximately $312,000. The pattern had intensified sharply in years three and four, with year four carrying the majority of the documented loss.
I had documented a textbook case of embezzlement in healthcare practices, running undetected inside the workflow for four years.
The Internal Control That Would Have Caught This Earlier
Every refund should require documented approval from someone who did not process the payment. Implementing that one control would not have prevented the fraud outright. It would have made manipulation harder to execute by a single person and far more likely to come to light during review. The daughter could continue to process legitimate intake and payment. Routing each refund through a second approver outside the family would have created a documentation trail. To continue running the fraud, the daughter needed to recruit that approver into the scheme.
Separation of duties in a medical practice means a second hand on the keyboard before money moves out. The second approver cannot be someone whose interests align with the person processing the refund. In family-run practices, that requirement usually means an outside reviewer, because internal family roles do not produce real separation.
Internal controls for medical spas and self-pay healthcare reduce opportunity. They do not eliminate fraud risk. What they do is shrink the conditions where workflow access turns into undetected access to the money. The documentation trail also exposes anomalies when someone outside the family reviews the activity.
Payment handling controls in healthcare are one of the weakest control areas I see in $1M+ family-run practices, where stated policy and actual workflow often diverge. Forensic accounting for medical spas exposes that divergence and produces the documentation needed to address it.
How to Detect Fraud in a Medical Spa
I have worked this pattern across multiple family-run medical practices. The names and dollar amounts vary, but the underlying structure stays the same.
High-volume self-pay healthcare creates the opening, family roles remove the verification, and a payment processor produces a clean summary that hides the detail.
Detection in medical practices begins when someone outside the family starts looking at the math.
Medical spas, chiropractic clinics, and other self-pay practices over $1M face the same exposure. The question worth asking is whether your books would survive a forensic review.
How to detect fraud in a medical practice comes down to three forensic checks: appointment volume against payment receipts, intake patterns against refund activity, and deposit-to-appointment matching across a sample of dates.
This is where forensic accounting for healthcare practices becomes necessary. Medical spa bookkeeping best practices include timely reconciliation, accurate revenue recognition, and clean documentation. Internal controls for medical spas include authorization protocols, separation of duties, and independent review of high-risk activity like refunds and voids. Direct testing of refunds, deposits, and patient activity requires forensic credentials, typically a CFE or CFF, regardless of which practitioner role is performing the work. A common structure for $1M+ practices combines three roles: a fractional CFO for financial oversight, an outside accountant for tax work, and a forensic accountant for periodic deep testing.
The owner now reviews the refund log every Friday. He brought in a fractional CFO for quarterly oversight.
Fraud prevention in medical practices starts with visibility into how money moves. If your process cannot withstand a forensic review, it will not survive an insurance claim investigation, an investor due diligence review, or a divorce proceeding.
Lots of Love, Coffee and Chocolate,
Dangerously in Love with Finance and the HBoF Family
| CFE + Fractional CFO | Healthy Bodies of Finance Helping health and wellness practices generating over one million dollars annually build the financial infrastructure that keeps what they earned.
If you operate a $1M+ medical spa, now is the time to review your internal controls, refund process, and bookkeeping structure, book a CFO Consultation today to start building and securing your practice’s growth.
Untangling Financial Woes: How a Massage Therapist Found Financial Clarity with CFO Services
Discover how CFO services can help your massage business achieve financial clarity
Drowning In Financial Uncertainty -Empower Your Financial Destiny
Dear Dangerously in Love with Finance, I’m exhausted, overwhelmed, and honestly, a little scared. I’…
This article is designed to provide information only and should not be considered legal or tax advice. Because of the complexity of the law and the variables in your own personal tax and accounting situation, you can’t rely on our advice specifically related to your unique circumstances. In order to get the best tax savings and legal advice available to you, you should consult with your own accountant, attorney or advisor regarding your particular facts and circumstances. Healthy Bodies of Finance is an accounting firm that specializes in working with health and wellness providers. We provide monthly accounting & bookkeeping services and financial education. For more information on our specialized services for health and wellness providers please contact us at info@healthybodiesoffinance.com