Back to Practice Pulse

    How to Catch an Employee Stealing from a Dental Practice: A Practice Owner's Playbook

    11 min read
    Compliance
    Practice Tips
    Dental practice owner discreetly reviewing financial records
    Share this article:
    Free Download

    Illegal Dental Billing Red Flags Checklist

    A 2-page checklist of the specific patterns that signal illegal dental billing practices in your ledger, with the exact codes and transactions to flag in your next audit.

    If you are reading this, you are already past the hardest part. Most practice owners who lose money to employee theft never let themselves suspect it until the damage is years deep. Acting on a suspicion is uncomfortable. Ignoring one is expensive.

    Start With What Made You Suspect Something

    The investigation starts from the trigger, not from the investigation. Something specific made you type this into a search bar. The pattern that got your attention is usually the thread to pull. Write it down before you do anything else.

    It might be a sudden change in deposits. It might be a staff member who seemed nervous around a specific patient's account. It might be a bank withdrawal you cannot account for, a refund that does not match any patient, a credit card batch report that does not tie to the day's production. Whatever it is, it is not random. You noticed it because it did not fit the pattern. That same anomaly is what forensic accountants look for, and it is what automated reconciliation systems flag. Trust it.

    Your suspicion may turn out to be explainable. But if there is theft happening, it almost always started small, grew as confidence built, and is now producing the anomaly that got your attention. The goal of this playbook is to confirm or rule out the suspicion quickly, without giving the suspected employee a chance to alter records, destroy evidence, or flee.

    The First Rule: Do Not Confront the Employee

    This is the hardest part of the playbook, because the natural instinct is to call the person into your office and ask them directly. Do not do this. Confrontation at this stage does three things, all bad.

    It tips off the employee that you are suspicious, which gives them hours or days to delete entries from your practice management system, shred paper records, transfer funds out of accessible accounts, or simply quit and disappear. It destroys the chain of custody you will need if this becomes a criminal case or an insurance claim. And it can expose you to a wrongful termination suit if you are wrong about the specific person.

    Confrontation also rarely produces a confession from someone who has been stealing methodically. Embezzlers who have operated for months or years have rehearsed their explanation. They will have a story ready. You will hear it, doubt yourself, and move on. Meanwhile the theft accelerates because they now know you are watching.

    Until you have documentary evidence organized and counsel engaged, say nothing to the suspected employee that is different from what you would say on a normal day.

    Step One: Preserve Records Immediately

    Before you do anything else, make sure the records you will need cannot be altered.

    Your practice management system keeps audit logs of every transaction, but those logs can often be disabled, edited, or rolled over at the database level by someone with administrator access. The first call is to your practice management vendor's support line, asking for a full backup of the current database plus audit logs exported to a file. Tell them you are doing a scheduled audit, which is true. Do not share that you suspect theft, and do not use the employee's computer to make the request.

    Your bank statements for the past two years should be downloaded or requested in PDF from the bank. Your merchant processor statements for the same period. Your insurance remittance history. Your credit card processor batch reports. Any outside vendor portals the practice uses for supplies, labs, or payroll.

    Take a screenshot or export of the employee's user activity log in your practice management system for the past 90 days. That becomes your baseline for what they were doing around the anomaly.

    Store these in a location the suspected employee does not have access to. If your practice's file server is shared, put them on a personal external drive or a cloud account only you control.

    Step Two: Reconcile the Numbers Quietly

    You now need to know whether the anomaly you noticed is a pattern or a one-time event.

    Pull three numbers for the same period, ideally the most recent 12 months broken down by month.

    The first is what your practice management system says was collected. This includes all payments logged, patient and insurance, by posting date.

    The second is what actually reached your bank accounts, the deposits and electronic payments that show up on bank statements. Card batches, checks, insurance EFTs, patient card payments, cash deposits.

    The third is what your insurance remittances say the payers sent you, by posting date.

    In a clean practice, these three numbers reconcile month over month with small variances for timing. In a practice with theft, they do not. Specifically, collections logged in the practice management system are higher than deposits reaching the bank, because logged payments are being reversed or voided after collection but before deposit. Or insurance remittances show payments that do not appear in either the practice management system or the bank, because someone is intercepting them.

    This reconciliation is the core of what automated tools like Zeldent do continuously. Done manually it takes a weekend, possibly more if records are messy. It is worth it, because it is the closest you will come to proof before you bring in outside help.

    Step Three: Look for the Specific Signatures of Theft

    Certain patterns show up repeatedly in dental practice embezzlement cases.

    Voided or adjusted transactions clustered around one employee's user ID. A busy practice has maybe 2-5 percent of transactions voided or adjusted on a typical day. If one employee's user produces 15-20 percent of the voids, that is either a training issue or deliberate. Check whether the voided transactions correlate with specific patients, often the employee's own friends or family.

    Patient payments received but never posted. Look for patient complaints about balances they thought they paid. Look for credit card batch reports with patient names that never appear on your deposit slips.

    Refunds to accounts that do not exist or accounts the employee controls. Run a report of all refunds for the past year and trace each one to the original payment. Refunds to cards, checks, or accounts that do not match the original payment source are the strongest single indicator of employee theft.

    Aging credit balances that never clear. In a healthy practice, credit balances are refunded or applied to future charges within weeks. Credit balances that sit unresolved for months, or entire patient accounts with long histories of unexplained credit activity, signal that someone is using the credit system to move money.

    Cash deposits that lag behind cash collections. If your practice logs $500 in cash payments in a day but only $300 shows up on the deposit slip, the $200 is either missing or being held for future deposit. Consistent patterns like this across weeks or months are not accidental.

    Insurance payments received but not posted. Insurance remittances are on record with the payer. If you cross-reference payer EFTs against your posted insurance payments and find gaps, someone intercepted those funds.

    Step Four: Check Who Had Access and When

    Every theft investigation comes back to access and timing.

    Pull a list of every user with administrative access to your practice management system. Any user who can void, adjust, refund, or change audit settings without oversight is a potential actor. If you have too many administrators, that itself is the problem, and it is common in practices that grew without formal access controls.

    Check bank account signing authority. Who can sign checks, who has online banking access, who can initiate ACH transfers. Check credit card processing access. Who can issue refunds, who can change the merchant account settings.

    Cross-reference user access against the periods where the anomalies appeared. If deposit shortages started in March and a specific employee got access to refund processing in February, that is a lead, not a coincidence.

    Step Five: Engage the Right Professionals

    At this stage, if you are seeing patterns, you stop investigating alone and bring in the professionals who can turn patterns into proof.

    A healthcare compliance attorney first, before any other call. The attorney will retain the forensic accountant and coordinate the investigation under attorney-client privilege, which protects the work product if this becomes litigation. Do not hire a forensic accountant directly, the privilege protection is lost.

    The attorney will also advise on whether and when to notify your insurance carrier. Most business insurance policies include employee dishonesty coverage, often limited to $25,000 to $250,000 depending on the policy. Claims have strict notification requirements and failure to notify within the required window can void coverage entirely.

    The attorney will also advise on reporting. Federal healthcare program fraud has mandatory reporting obligations. Commercial insurance fraud has insurer notification requirements. State dental boards have licensee reporting requirements in certain circumstances. Getting the sequencing wrong can convert a recoverable loss into a regulatory problem.

    Do not call the police first. Law enforcement will take a report, but they will not investigate dental embezzlement with the depth your attorney and forensic accountant can. The criminal referral happens later, after the private investigation has organized the evidence, and it happens through your attorney.

    Step Six: Decide on the Employee

    Once you have evidence and counsel, the decision on the employee is a legal question, not an emotional one. Your attorney will advise on the specific steps based on your state law and the evidence.

    In most cases, the sequence is termination for cause with documented performance basis, not accusing the employee of theft in the termination meeting itself. The criminal and civil case against the employee is built in parallel and executed after termination. This sequence protects you from wrongful termination claims and preserves your evidence.

    Do not sign a separation agreement that includes a mutual release until you know the full scope of the loss. A release you sign today may bar you from recovering funds you discover next month.

    What to Expect on Recovery

    Honest answer, recovery is rarely complete. Most dental practice embezzlement cases recover 20-40 percent of the stolen funds through a combination of insurance payout, civil judgment, and restitution ordered in criminal sentencing. Employees who stole small amounts often spent it. Employees who stole large amounts often have no assets to seize. The money is usually gone.

    The goal of the investigation is not recovery, it is stopping the loss, preventing the practice from taking on liability for the fraud, and ensuring the employee cannot do this to their next employer. A well-documented case is also what makes insurance recovery possible for the portion that is covered.

    How Zeldent Prevents This From Happening Again

    After practices go through an embezzlement investigation, almost every owner says the same thing, they wish they had noticed sooner. Three or six or twelve months of theft turns into a much larger problem because the patterns were there the whole time, but no one was watching.

    Zeldent is the watching. The system continuously reconciles what is in the practice management system against what reaches the bank, against what the insurance payers remitted, and against the clinical record. Anomalies that would take a weekend to find manually surface in the daily dashboard. Refunds to accounts that do not match original payments, voids clustered around one user, insurance payments that disappeared, cash deposits that lag cash collections, all of it flagged for the owner before it accumulates.

    This is not surveillance of employees, it is continuous financial hygiene that makes the practice itself embezzlement-resistant. Good employees work better in a transparent environment. Bad employees leave or never start. And the owner gets to run the practice without the quiet fear of what they might be missing.

    Bottom Line

    If something feels off, it probably is. The cost of investigating a suspicion that turns out to be nothing is one evening of your time. The cost of ignoring a suspicion that turns out to be real is often six figures and months of stress. Start with the records. Stay quiet until you have counsel. Let the professionals turn patterns into proof.

    If you are seeing anomalies in your practice's numbers and want continuous oversight that surfaces them before they become a case, schedule a demo of Zeldent. The system reconciles your practice management system against your bank and insurance records daily and flags exactly the patterns this playbook describes.

    Share this article:

    Illegal Dental Billing Red Flags Checklist

    A 2-page checklist of the specific patterns that signal illegal dental billing practices in your ledger, with the exact codes and transactions to flag in your next audit.

    Ready to protect your practice revenue?

    Missed collections and revenue leaks add up quickly. With Zeldent, you can automatically safeguard your income, prevent revenue loss, and simplify dental billing in one streamlined platform.

    Related Articles