Program Integrity Alliance
All Insights

While Washington Counts, Criminals Steal

GovIntegrityMay 5, 2026
While Washington Counts, Criminals Steal

Last week, two things happened in Washington that almost no one connected. The Justice Department announced a new West Coast healthcare fraud strike force, revealing that 28 defendants had attempted to steal $1.9 billion from Medicare and Medicaid since 2024. And the Government Accountability Office (GAO) quietly released its annual improper payments report, showing that the federal government now tracks $186 billion in problematic payments across 64 programs—a number that drew the usual mix of alarm and shrugging that these reports always generate.

When you read the two stories together, they paint a disturbing picture.

Let’s start with the $1.9 billion. Just twenty-eight people attempted to steal $1.9 billion (with a “b”) in just three states (California, Nevada, and Arizona) in less than two years.

That’s roughly $68 million per defendant. These aren’t opportunists gaming a loophole. This is industrialized fraud — organized, sophisticated, and operating at a scale that would have seemed unimaginable even five years ago.

Last year, law enforcement took down a foreign criminal organization that submitted $10.6 billion in fraudulent Medicare claims for urinary catheters that were never needed, using 1 million stolen beneficiaries’ information, with suspects arrested in Estonia and at international airports while trying to flee. This year, we’ve seen hospice fraud rings recruiting healthy patients who aren’t terminally ill billing hundreds of millions in bogus claims and substance-abuse clinics invoicing CMS for $40,000 a month per patient. The indictments keep coming out of the Justice Department.

Like the old joke that people rob banks because that’s where the money is, today’ fraud is literally following the money. As retirees flood into Sunbelt states, criminals are close behind. Nevada’s senior population grew 95% between 2008 and 2024, and the fraud rate follows that curve almost perfectly. This is strategic, data-driven targeting by people who understand government payment systems better than most government employees do.

This is the world we are actually living in.

Now let’s talk about the world Washington thinks we’re living in.

The same week that story broke, GAO released its annual improper payments report. I’ll be candid here: I’ve spent years working in this space and the improper payments reporting apparatus is, in my honest opinion, a mess that has become its own kind of problem.

Here’s what the report actually tells us: improper payments across the federal government totaled $186 billion in fiscal 2025. That’s up $24 billion from the year before. The hang-wringing headlines write themselves, but they are misleading. Most of that increase comes from the fact that we’re now measuring more programs, not from the government losing more money. New programs were added to the denominator for the first time. That’s actually a good development—more visibility is better—but it gets reported as a crisis of worsening performance when it isn’t necessarily that. The real problem is no one knows what the numbers really mean about whether the government is losing more money to fraud, or less.

Of the $186 billion, GAO separates the total into overpayments ($153 billion), underpayments ($10 billion), “unknown payments” ($14 billion) and— my favorite— “technically improper” ($8.4 billion).

The whole improper payments estimation and reporting apparatus is a compliance exercise, not a fraud-fighting tool. It is complicated by design, prone to spin in both directions, and almost impossible to use as a meaningful gauge of whether agencies are actually getting better at stopping fraud. Agencies change their estimation methodologies. Programs get added and dropped. Definitions shift. You can’t look at this year’s number and last year’s number and draw a straight line between them. The system was designed to produce a report, not to prevent a crime.

The distinction between producing a report and preventing a crime
is exactly the problem.

Pay and chase. Still.

The DOJ strike force announcement was framed as a major escalation in the fight against healthcare fraud. And in some ways it is. The government is adding more prosecutors, more forensic tools, more data analytics, and new strike force offices opening in San Francisco, Las Vegas, and Phoenix. This is real investment, and I don’t want to minimize it.

But let’s be clear about what a strike force is. It is a law enforcement response to fraud that has already happened. It is, by definition, reactive. You detect the scheme. You build the case. You charge the defendants. You announce the press release. And almost all of the money is already gone.

This is the “pay and chase” model, and it is not enough anymore. It was barely enough before. In a world where a single criminal network can attempt to steal $10.6 billion in a single scheme, prosecuting 28 people for $1.9 billion two years after the fraud began, is not a deterrent. It’s a cleanup crew.

I want to be fair to the people doing this work. Federal prosecutors, FBI agents, and OIG investigators are talented, dedicated, and genuinely hamstrung by a system that wasn’t built for the threat they’re now facing. The probes into California hospice fraud stalled for years, officials said, because of limited resources and pandemic-era priorities around access to care. That’s indicative of a system that cannot scale to meet what’s coming at it.

But the answer to that problem is not more prosecutors. Or rather, it’s not only more prosecutors. The answer is stopping fraud before the money goes out the door.

The new world requires a new approach

What Washington has not fully reckoned with is that fraud has been industrialized. Organized criminal networks—including foreign ones—have built sophisticated operations that analyze government payment systems, identify vulnerabilities, and exploit them at machine speed. They use stolen beneficiary data and artificial intelligence. They stand up fake medical providers, fake hospices, fake substance-abuse clinics; they move money across jurisdictions before anyone notices, and they disappear with millions in stolen taxpayer money.

The government’s response, by contrast, remains anchored in a framework built for a different era: stumble onto a fraud scheme years into the heist, investigate what you can, prosecute the cases you can prove, announce the takedown, repeat. The improper payments report is the annual ritual of that framework — a backward-looking accounting exercise that tells us a fragmented story of what the damage was, offers limited insight into why it happened, and almost no insight into whether we’re any better positioned to stop it next time.

We are not going to prosecute our way out of this problem. And if we keep telling agencies to adhere to complicated, bureaucratic compliance requirements in response to a genuine crisis, we might as well send a formal invitation to the transnational criminal organizations.

What actually needs to change

The federal government needs to make a genuine strategic shift—a fundamental reorientation from detection and prosecution toward prevention and prediction. That means:

Stopping paying before we know. Pre-payment review and real-time eligibility verification aren’t new ideas, but they’re still not standard practice across high-risk programs. Modern verification tools can stop fraudulent claims before money changes hands — without slowing legitimate payments. Using intelligence in addition to data can help uncover risk signals earlier in the scheme. This is not a trade-off between speed and integrity. Technology, especially Generative AI, has made it possible to have both.

Treating fraud intelligence like national security intelligence. The $10.6 billion catheter scheme involved a foreign criminal organization. The hospice fraud rings are operating like organized crime syndicates, because they are. We need federal agencies sharing threat intelligence in real time, not issuing audit reports two years after the fact. Data and intelligence is still siloed across agencies and states, and needed information is not shared. Congress took some important steps to change this last week by introducing several bills that would make data sharing easier. Those bills must advance to the President’s desk for signature.

Replacing compliance theater with outcome accountability. The improper payments reporting regime needs to be fundamentally reimagined. Instead of measuring what went wrong and generating a number that spins up or down based on methodology changes, we should be measuring what agencies are doing _before_payments go out: their pre-payment controls, their fraud risk assessments, their use of data analytics, their real-time detection rates. Tell me not what the damage was — tell me whether you’re actually getting better at preventing it.

Being honest about what we don’t know. GAO’s report doesn’t include TANF, a $16.5 billion program, because of statutory limitations that prevent HHS from calculating its improper payment rate. We can’t manage what we don’t measure. While reimagining the improper payments reporting regime, Congress needs to fix the statutory barriers that keep major programs off the books entirely.

The bottom line

Two things happened last week. A Justice Department strike force was announced to chase down fraud that has already occurred and a GAO report catalogued $186 billion in payment problems through a methodology that is too complicated to be genuinely useful and too backward-looking to drive real change.

Meanwhile, 28 people tried to steal $1.9 billion. And right now, in nearly every state and many federal programs, others are planning or executing the next scheme.

How do I know?

I am the co-founder of a small fraud prevention technology company that looks for patterns of fraud in data. Last week, we quietly pulled some Medicare suppliers off the CMS website and ran them through our gauntlet of open-source intelligence-gathering tools.

We found a supplier with no obvious risk signals—no one is debarred, sanctioned or otherwise suspicious looking. The company was recently added to CMS’s supplier ecosystem. But there was something suspicious, and with today’s intelligence tools, we were able to spot it. A complaint was filed to the Better Business Bureau’s Scam Tracker from someone saying they received knee braces in the mail out the blue. They called their doctor, and he confirmed he had not placed the order. The company on the invoice was unfamiliar. They called the company and said they wanted to return the unneeded braces.

CMS has no reason to suspect this company is a fraudulent supplier yet. Nothing will look amiss in the data CMS looks at. The fraud actors behind this scheme are still operating in the shadows. My bet is that, in two years, this company will appear in a Justice Department press release along with the amount of taxpayer money that was stolen.

We don’t have a prosecution problem. We have a prevention problem. And until Washington is willing to say that clearly — to move the center of gravity of this entire enterprise from pay-and-chase to stop-before-it-starts — we will keep writing the same press releases and publishing the same reports, year after year, while the numbers get larger and the criminals get smarter.

Photo by Jakub Żerdzicki on Unsplash. Article first posted on GovIntegrity.