Easier Than Opening a Bank Account
Last week, the Trump administration did something that fraud investigators have been asking for for years. On February 25, CMS Administrator Mehmet Oz announced a nationwide moratorium on new Medicare enrollment for durable medical equipment suppliers. The full freeze on new applicants is being enacted while regulators figure out how to close a vulnerability that has cost American taxpayers billions of dollars over decades. In explaining why the moratorium was being put in place, Oz said, “The amount of fraud is so massive that it’s easier to open one of these suppliers than to open a bank account.”
The excerpt below is adapted from my forthcoming book, Soft Target: How Criminals Steal Billions from American Taxpayers and How to Stop Them, which examines why the federal government keeps losing billions of dollars to fraud. Spoiler: it’s because the systems were never built to stop fraud, they were built on trust with the objective of moving benefits out to recipients quickly.
The U.S. government has become a magnet for organized fraud, losing hundreds of billions every year. Who these fraud actors are, how they exploit government programs, and what we can do about it are the questions this book was written to answer.
----------------------------------------
In the beginning, confusion reigned. A small family-owned business in Tennessee with 16 employees was suddenly inundated with angry calls from people saying the company, Pretty in Pink Boutique, had charged Medicare for urinary catheters they did not need or use. The company’s owner was dumbfounded. She put a notice on her website alerting people that whatever was happening was unrelated to her company, which provides things like wigs and mastectomy bras to breast cancer patients, saying WE ARE NOT EVEN SET UP TO BILL CATHETERS.
At the time, February 2024, all that was clear was that something was very wrong. Early investigations pointed to seven companies, all of whom were longstanding Medicare suppliers in good standing, that were suddenly billing Medicare for outrageous numbers of intermittent urinary catheters. It made no sense. Soon, it came to light that the companies had recently switched owners, adding to the mystery. None of the companies had specialized in supplying intermittent urinary catheters before 2022, and yet in two years, the seven companies collectively went from billing just 14 patients for catheters to nearly 406,000.
The companies used real patients’ information to submit the bills. To Medicare, the claims were unremarkable. The documentation was in order, the billing codes were correct. None of it was real, except the money, which was being deposited into accounts controlled by a network of shell companies. They, in turn, moved it through a U.S. bank, into cryptocurrency wallets, and eventually to Eastern Europe and Russia.
The organizers weren’t hackers. They didn’t break down digital doors or deploy malware onto a network of unsuspecting users’ devices. They did something even more audacious: they bought the doors. Those seven durable medical equipment companies that were suddenly under new ownership were bought by leaders of a transnational criminal organization based in Eastern Europe. The new owners were foreign nationals, straw buyers the scheme’s masterminds recruited to appear on corporate documents, sign the necessary paperwork, and lend an American face to an operation run from thousands of miles away. These nominee owners received payments for their cooperation and in exchange, they asked few questions.
Behind them, coordinating the whole apparatus from Eastern Europe, was an organization whose members understood something essential about the American health care system: it was built on trust. Medicare processes hundreds of millions of claims each year. Its fraud-prevention infrastructure, while substantial, is oriented to detect patterns that deviate from the norm. So they built an operation that didn’t deviate. Instead, it mimicked the norm perfectly, at industrial scale. Catheters were the perfect foil. While Medicare only pays out about $8 for each catheter, billing in enormous quantities allowed for substantial profits. And because each catheter cost so little, the line item on each invoice would be too small to pay attention to. And the patients would rarely notice if the catheters showed up on an Explanation of Benefits that most people barely read.
The list of names was the basis of the scheme. More than one million Americans, living in all 50 states, most of them elderly or disabled, whose Social Security numbers, addresses, and medical histories had been compiled from years of stolen data. A portfolio of identities, sorted and ready to be deployed. Each one representing a real person—a neighbor, a parent, a grandmother—who would never know their medical history had been rented out to a criminal enterprise operating from an office building in another country. The highly coordinated, complex operation billed $10.6 billion in claims before it was done.
The Justice Department called it Operation Gold Rush.
It was an apt name. Because what had happened was, in its way, a gold rush— an organized, systematic extraction of wealth from American taxpayers, conducted by people who had done the work of understanding exactly where the gold was kept and how lightly it was guarded. On the morning of June 25, 2025, law enforcement officers moved on multiple continents to takedown the operation. Federal officials were able to prevent more than 90 percent of the Medicare payments from reaching the perpetrators, which is a substantial, and uncommon, win. Operation Gold Rush resulted in the largest loss amount ever charged in a health care fraud case brought by the Justice Department. Despite the successful effort to prevent a significant portion of the losses, the scheme still resulted in the loss of about $900 million in taxpayer money. Almost a billion dollars in taxpayer money lost through a single fraud scheme.
The Thief in the Law
The address on the Medicare application was a strip mall in suburban New Jersey. The building housed a nail salon, a dry cleaner, and a shipping store. In the back of the shipping store was a wall of mailboxes, rented by the month. Box 247 had been registered to something called Comprehensive Medical Supply, LLC. The LLC had a taxpayer identification number, a phone number, and a Medicare billing number. It had a licensed physician on file— a real one, practicing in another state entirely, who had never heard of the company. It had a list of patients—real ones, whose Social Security numbers and dates of birth had been lifted from a breach at a hospital in Orange County, New York.
What it didn’t have? A single piece of medical equipment. No warehouse. No inventory. No staff. Box 247 was the whole operation. And it was one of 118.
Armen Kazarian had come to the United States in 1996 from Azerbaijan. By the time he arrived in Glendale, California, he already carried a title that meant something in the criminal world of the former Soviet Union, a world organized around its own laws, its own courts, its own hierarchy. He was a vor v zakone. A Thief in the Law.
The designation had its origins in the Soviet prison camps of the 1930s, where an underground criminal society had developed a code of conduct and separate authority structures in defiance of the state. A vor was not simply a criminal, he was a criminal who had been recognized by other criminals—a process of election, and of accepting a set of obligations that defined one’s life. The vor lived by crime, resolved disputes among criminals, offered protection to those who paid tribute, and in return received a share of whatever flowed through his territory. The designation carried weight across the post-Soviet criminal world from Moscow to Tbilisi to Yerevan.
In Glendale, California, in the late 1990s, Armen Kazarian found himself in a country with a healthcare program that processed hundreds of millions of claims a year, much of it on the honor system. To him, the Medicare enrollment process was like combination lock he could easily crack.
Opening a Medicare-billing account required, in practice, almost nothing. A supplier needed a business address, a taxpayer ID, a licensed physician willing to sign off on prescriptions, and a National Provider Identifier—a number assigned by the federal government that permitted a business to submit claims. The address could be a mailbox. The physician’s identity could be stolen. The NPI could be obtained by submitting a form. There was no physical inspection of the “clinic.” No audit of the inventory. No verification that the doctor listed had any relationship to the business. The system was built for speed and convenience, not security. It trusted people to tell the truth.
Kazarian’s organization acquired stolen patient data in bulk. More than 2,900 names, Social Security numbers, and dates of birth had been lifted in a single breach from Orange Regional Medical Center in upstate New York. They stole the identities of licensed physicians, real doctors, practicing medicine in other states, who would have no idea their NPI numbers were being used to sign prescriptions for patients they’d never seen. They set up shell companies, registered at mailbox stores, and submitted Medicare enrollment forms. And then they billed.
They billed for durable medical equipment and medical services their “patients” never received, from clinics those patients never visited, ordered by doctors who had never met them. Somewhere in the system, a Medicare program designed to help elderly and disabled Americans was sending checks to strip mall mailboxes.
The fraud had a kind of accidental audacity to it. Investigators would later notice that the claims were medically incoherent. An ophthalmologist billing for bladder tests; an Ear, Nose, and Throat Specialist performing pregnancy ultrasounds; an obstetrician administering skin allergy panels. No human being had reviewed the claims, the automation had processed them all. The absurdity of an eye doctor ordering urinary catheters for patients he’d never seen, billing from a clinic that was a mailbox did not trigger an alert. Medicare wrote the checks, and cash couriers carried the proceeds back to Armenia.
The process of creating a fake Medicare DME supplier in 2010 involved less scrutiny than opening a checking account at a community bank, which requires, at minimum, a government-issued ID, a physical address, an initial deposit, and a compliance check. Medicare required an address, a form, and a faith in human honesty that Kazarian’s organization found very easy to exploit.
On October 13, 2010, federal agents moved simultaneously in New York, California, New Mexico, Georgia, and Ohio, arresting fifty-two people before breakfast. In total, 73 members and associates of the organization would be charged with racketeering conspiracy, bank fraud, money laundering, identity theft, and healthcare fraud. The organization had submitted more than $163 million in fraudulent Medicare claims. It had had made off with $35 million before anyone stopped them.
When agents went to the addresses listed on the Medicare applications, they found what they expected to find. Strip mall mailboxes or vacant lots. The occasional storefront that had no idea a medical supply company shared its address.
United States Attorney Preet Bharara, announcing the arrests in Manhattan, said: “Armen Kazarian sat at the top of a criminal organization, and now he will sit in a jail cell for a long time.” But that’s not quite how it ended up. In February 2013, Kazarian was sentenced to 37 months. The sentence worked out to roughly eleven days per fake clinic. He was out in 2015.
The same structural vulnerability Kazarian’s organization exploited in 2010— the use of mailbox addresses, stolen physician identities, and no pre-enrollment site visits—remained essentially intact through the pandemic. In 2020 the government updated some accreditation language, but didn’t fundamentally close the open-door enrollment process. The Armenian ring and Operation Gold Rush were separated by 15 years and operated through essentially the same gaps.
-----------------------------------------
The moratorium Oz announced last week is trying to address a real problem. But a freeze on new applicants doesn’t address the data, technology, policy, and cultural issues that made operations like Gold Rush possible in the first place. Fifteen years after Armen Kazarian ran 118 fake clinics out of mailboxes, the same enrollment form, the same honor system, the same absence of pre-enrollment site visits were still in place when Operation Gold Rush submitted its first fraudulent catheter claim. And these weaknesses exist in nearly every government program administered today, in healthcare and beyond.
Photo by Museums Victoria on Unsplash. Article first posted on GovIntegrity.