According to the Department of Health and Human Services (HHS), schemes to defraud the Medicare program have grown more elaborate in recent years. In particular, HHS has acknowledged Centers for Medicare & Medicaid Service's (CMS) oversight of suppliers of durable medical equipment, prosthetics, orthotics, and supplies (DMEPOS) is inadequate to prevent fraud and abuse. Specifically, weaknesses in the DMEPOS enrollment and inspection process have allowed sham companies to fraudulently bill Medicare for unnecessary or nonexistent supplies. From April 2006 through March 2007, CMS estimated that Medicare improperly paid $1 billion for DMEPOS supplies--in part due to fraud by suppliers. Due to the committee's concern about vulnerabilities in the enrollment process, GAO used publicly available guidance to attempt to create DMEPOS suppliers, obtain Medicare billing numbers, and complete electronic test billing. GAO also reported on closed cases provided by the HHS Inspector General (IG) to illustrate the techniques used by criminals to fraudulently bill Medicare. On June 18, 2008, we briefed CMS representatives on the results of our investigation. In response, they acknowledged that our covert tests illustrate gaps in oversight that still require improvement and stated that they would continue to work to strengthen the entire DMEPOS enrollment process.

Investigators easily set up two fictitious DMEPOS companies using undercover names and bank accounts. GAO's fictitious companies were approved for Medicare billing privileges despite having no clients and no inventory. CMS initially denied GAO's applications in part because of this lack of inventory, but undercover GAO investigators fabricated contracts with nonexistent wholesale suppliers to convince CMS and its contractor, the National Supplier Clearinghouse (NSC), that the companies had access to DMEPOS items. The contact number GAO gave for these phony contracts rang on an unmanned undercover telephone in the GAO building. When NSC left a message looking for further information related to the contracts, a GAO investigator left a vague message in return pretending to be the wholesale supplier. As a result of such simple methods of deception, both fictitious DMEPOS companies obtained Medicare billing numbers. After requesting an electronic billing enrollment package and obtaining passwords from CMS, GAO investigators were then able to successfully complete Medicare's test billing process for the Virginia office. GAO could not complete test billing for the Maryland office because CMS has not sent the necessary passwords. However, if real fraudsters had been in charge of the fictitious companies, they would have been clear to bill Medicare from the Virginia office for potentially millions of dollars worth of nonexistent supplies. Once criminals have similarly created fictitious DMEPOS companies, they typically steal or illegally buy Medicare beneficiary numbers and physician identification numbers and use them to repeatedly submit claims. In one case from HHS IG, a company received $2.2 million in payments from Medicare for supplies and services that were never delivered. The owner submitted these fraudulent claims from March 2006 through July 2006 using real beneficiary numbers and physician identification numbers that he had purchased illegally. The only employee not involved in the scheme was a secretary, who told HHS IG that there was no business activity in the office and that the owner was rarely there. Another case related to an individual who stole beneficiary numbers and physician identification numbers and submitted $5.5 million in claims for three fraudulent offices from October 2006 through March 2007. He operated one of these offices out of a utility closet containing buckets of sand mix, road tar, and a large wrench, but no medical files, office equipment, or telephone.