The Centers for Medicare & Medicaid Services (“CMS”) oversees the largest federal health programs in the United States. In 2024, Medicare spent about $1.1 trillion to provide care to approximately 68 million elderly and disabled individuals. CMS processes more than one billion claims annually through more than 20 different payment systems.
The scale and complexity of the Medicare program create significant exposure to fraud. The Government Accountability Office (“GAO”) first designated Medicare as a high-risk program in 1990, and it remains on that list today. In GAO’s March 2026 report, it reviewed how CMS uses technology to detect fraudulent billing as well as where that technology fails to address certain vulnerabilities.
CMS uses a layered system of data analysis, human investigation, and administrative enforcement to detect Medicare fraud.
The Fraud Prevention System (“FPS”) is a real-time analytics platform that monitors claims as they move through the payment pipeline. The FPS scans for atypical billing patterns, such as sudden spikes in claims volume, unusual service combinations, and billing rates that exceed peer norms, and flags these for further review. If suspicious activity flagged by the FPS, CMS may launch investigations and trigger administrative actions.
CMS contracts specialized entities, known as Unified Program Integrity Contractors (“UPICs”), to investigate potential fraudulent claims on a regional basis. UPICs conduct interviews, review medical records, and coordinate with federal law enforcement if criminal referrals are necessary. The Health and Human Services Office of Inspector General (“HHS-OIG”) and the Department of Justice (“DOJ”) become involved in the most serious cases of fraud for prosecution under the False Claims Act (“FCA”).
In addition to the FPS pipeline, CMS conducts prepayment claim reviews, automated prepayment denials, and post-payment audits. When fraudulent claims are suspected during those audits, CMS can suspend provider payments, revoke provider enrollment, and/or recover any disbursed overpayments.
The March 2026 GAO report detailed several categories of analytic models that CMS uses to identify potential fraud. These models can flag billing spikes in particular categories, such as durable medical equipment (“DME”), home health, and laboratory testing, while also identifying individual providers whose billing patterns deviate from those of their geographic and/or specialty peers. For example, CMS identified and revoked billing claims for “more than $4 billion in urinary catheters that were never supplied” from a small group of just 15 providers.
CMS also monitors misuse of Medicare Beneficiary Identifiers (“MBIs”), which are unique numbers assigned to each Medicare enrollee. Data breaches and phishing schemes may expose these numbers to the wrong people. In the March report, GAO investigators demonstrated how accessible the data is to bad actors on dark web platforms and the ease with which they can submit fraudulent claims under a beneficiary’s MBI.
Private insurers have modeled their fraud detection systems on CMS’s system. The GAO report included interviews with representatives from private payers, who described using similar data analytics to flag claims for investigation. Data-driven fraud detection has thus become the industry standard for healthcare billing institutions.
GAO’s March report acknowledges that CMS has successfully detected substantial fraud, estimating that it prevented about $11.9 billion in Medicare payments between 2022 and 2024. Nearly $8 billion of this came from provider revocations and deactivations, and about $2.6 billion came from payment suspicions. However, the report also exposed a significant flaw in the CMS fraud detection framework.
CMS had not been sharing information about payment suspensions with supplemental payers. Private insurance plans like Medigap and state agencies tied to Medicaid cover out-of-pocket expenses for many Medicare beneficiaries. When CMS suspended a provider for suspected fraud, supplemental payers were not notified, which resulted in ongoing payments tied to fraudulent billing.
In the urinary catheter scheme, private supplemental plans may have paid tens of millions of dollars in cost-sharing before the fraud was stopped. State Medicaid agencies alone paid at least $196,000 in state and federal funds related to that scheme between 2023 and 2024.
In December 2025, CMS addressed this gap and began sharing payment-suspension information with supplemental payers, but the delay created a significant burden on government spending. With Medicare fraud detection systems, identifying suspicious activity is easy but breaking down administrative siloes remains a challenge.
Although CMS has invested greatly in its monitoring systems, sophisticated fraud schemes continue to succeed on a large scale. Data analytics alone struggle to overcome the structural features of Medicare payment models. However, individual whistleblowers may provide better solutions.
Medicare’s fee-for-service model, which covers traditional Medicare, is inherently vulnerable. Paying first and auditing later allows a large volume of claims to flood in, overwhelming even a well-calibrated fraud detection system and preventing it from catching every false claim in real time.
Fraudsters have adapted by using stolen MBIs, shell companies, and rapid billing cycles to extract payments before their suspensions take effect. The urinary catheter scheme occurred in part because the group of providers moved quickly and exploited a category of DME that had not previously triggered the same scrutiny at high-volume orders, compared to more commonly abused services.
The GAO report noted that fraud schemes in DME, home health, and lab testing are prevalent as they’ve received less scrutiny historically than hospital or physician billing. As enforcers’ attention increases in one area, the schemes will migrate to less salient categories.
Finally, fraudsters use information from legitimately enrolled providers to make their billing claims. Sometimes this occurs without the provider’s knowledge, increasing the time required to map the network of billing relationships. Often, the payments are made, and the funds are moved into offshore accounts or laundered through shell companies before investigators can act.
Government detection systems operate outside of healthcare providers. While their technology can detect billing patterns, it misses the face-to-face interactions in doctors’ offices, instructions provided to billing staff, and any informal kickback arrangements discussed on-site. These are scenarios in which whistleblowers can, and often do, help the government prevent fraud.
The FCA allows private individuals, most often current or former employees known as “relators” or “whistleblowers,” to file qui tam lawsuits on behalf of the government when they have direct knowledge of fraud that harmed the government. If the case succeeds, the whistleblower typically receives between 15 and 30% of the government’s recovery.
Healthcare FCA cases have recovered significant government funds from fraudulent Medicare billing, especially in light of recent upticks. In fiscal year 2025, the DOJ reported that FCA settlements and judgments exceeded $6.8 billion – the highest single-year total in FCA history. Of that amount, over $5.7 billion involved healthcare industry matters.
Not only are the dollar amounts of qui tam cases striking, but the scope of the fraud and harm done can also be nationwide. In 2025, CVS Health’s Omnicare pharmacy was found to have unlawfully distributed drugs without valid prescriptions under state law while charging Medicare, Medicaid, and TRICARE. The jury verdict included a $949 million judgment. Healthcare whistleblowers can alert the government to misconduct that would otherwise go unnoticed.
In the context of Medicare fraud, the FCA is a powerful tool, even when only one individual speaks up. A single whistleblower who notices and reports overcharging, double-billing, or other false representations to the government can have knowledge that other fraud prevention tools can replicate. The FCA is structured to reward those who come forward and allows whistleblowers to share in the government’s recovery, creating an economic incentive for insiders to expose fraud that would otherwise remain hidden.
Whistleblowers’ reporting of fraudulent government billing is essential to closing the gaps the FPS pipeline may miss.
The two systems for identifying and correcting Medicare fraud overlap and cover each other’s weaknesses. CMS’s data analytics tools can identify anomalous billing patterns. The FCA provides an avenue for industry participants who see fraud to bring it to light, exposing practices that would otherwise go undetected.
While neither system captures all fraud on its own, together they can expose and stop multibillion-dollar fraud schemes. The GAO continues to showcase the flaws in the government’s fraud detection system, even with updates and increased security measures. Currently, though, despite those shortcomings, the government can enforce and recover billions each year from exposed schemes.
For individuals with information about what they suspect is Medicare fraud, speaking with experienced False Claims Act counsel can help determine whether the conduct may support a whistleblower claim. Miller Shah LLP represents whistleblowers in healthcare fraud matters and can help insiders understand their rights, protections, and potential role in recovering taxpayer funds.
PA Philadelphia | 866-540-5505
NY New York City | 866-540-5505
NY New York City | 866-540-5505
NY New York City | 866-540-5505
NY New York City | 866-540-5505
PA Philadelphia | 866-540-5505
NY New York City | 866-540-5505
PA Philadelphia | 866-540-5505
CA San Francisco | 866-540-5505
FL Fort Lauderdale | 866-540-5505
NY New York City | 866-540-5505
PA Philadelphia | 866-540-5505
CT Chester | 866-540-5505
NY New York City | 866-540-5505
PA Philadelphia | 866-540-5505
CA Los Angeles | 866-540-5505
CA Los Angeles | 866-540-5505
CT Chester | 866-540-5505
CT Chester | 866-540-5505
FL Fort Lauderdale | 866-540-5505
CT Chester | 866-540-5505
NY New York City | 866-540-5505
PA Philadelphia | 866-540-5505
NY New York City | 866-540-5505
PA Philadelphia | 866-540-5505
CA San Diego | 866-540-5505
PA Philadelphia | 866-540-5505
CT Chester | 866-540-5505
NY New York City | 866-540-5505
NY New York City | 866-540-5505
NY New York City | 866-540-5505
PA Philadelphia | 866-540-5505
PA Philadelphia | 866-540-5505
FL Fort Lauderdale | 866-540-5505
NJ Hoboken | 866-540-5505
NY New York City | 866-540-5505
PA Philadelphia | 866-540-5505
PA Philadelphia | 866-540-5505
PA Philadelphia | 866-540-5505
NY New York City | 866-540-5505
CT Chester | 866-540-5505
PA Philadelphia | 866-540-5505
CA San Diego | 866-540-5505
PA Philadelphia | 866-540-5505
PA Philadelphia | 866-540-5505
PA Philadelphia | 866-540-5505
CA Los Angeles | 310-203-0600