A transnational ring, seven shell companies, one lightly-scrutinized HCPCS code, and a federal fraud-detection system that only worked because accountable care organizations did its job for it.
Let's start with the number that pulled CMS out of its chair. For most of the last decade, HCPCS codes A4352 and A4353 — two Medicare reimbursement codes for intermittent urinary catheters — were a sleepy corner of the DMEPOS budget. Combined, they accounted for less than 0.1% of fee-for-service Medicare spending. By the end of 2023 they had leapt to nearly 1% — a deviation so large the 2024 Medicare Trustees Report flagged it as a single-year anomaly in the Trust Fund.
The mechanics are simple enough to explain at a dinner party and outrageous enough that no one would believe you. Foreign nationals, operating on direction from handlers abroad, bought more than twenty Medicare-enrolled durable medical equipment companies. Using stolen identities of over a million Medicare beneficiaries and the NPI numbers of thousands of real physicians, they submitted claims for intermittent catheters that were never ordered, never delivered, and in many cases never manufactured. They billed Medicare roughly $10.6 billion and collected roughly $3 billion before anyone with enforcement power noticed. According to the Department of Justice indictment unsealed on June 30, 2025, the proceeds were moved through a U.S. bank into cryptocurrency and offshore shell companies.
What made the scheme work was not sophistication. It was the opposite — a near-perfect exploitation of three Medicare oversight gaps that had been documented in the public record for years.
HCPCS code A4353 pays for an intermittent urinary catheter with an insertion kit — a single-use sterile tube priced at roughly $8 per unit that patients with neurogenic bladder, spinal cord injury, multiple sclerosis, or spina bifida self-catheterize four to six times a day. CMS's Local Coverage Determination L33803 allows up to roughly 200 units per month. Per unit the code looks trivial. Per patient per year, at 200 units monthly, it generates over $15,000 in reimbursement. Bulk-ordered. No prior authorization. Paid promptly.
A 2022 HHS-OIG report had already documented the attack surface: Medicare was paying 3.4 times the suppliers' acquisition cost for these catheters — $407 million paid against roughly $121 million in real wholesale cost in 2020 alone — and recommended rate cuts and competitive bidding. CMS did not act. Weeks later, the fraud began.
When the fraud ran, it ran loud. Claim volume for A4353 rose more than 5,000% year-over-year; A4352 rose 163%. Roughly 450,000 Medicare beneficiaries had claims submitted in their name during 2023 — against a clinical reality where the total population of Medicare beneficiaries with neurogenic bladder needs is a small fraction of that. The anomaly was so loud that NAACOS, the accountable care organization trade group, flagged it by pulling the claims file and looking at supplier-level concentration: just seven DME firms — three in New York and one each in Texas, Florida, Connecticut, and Kentucky — drove the vast majority of the spike.
K3's FraudGraph database pulls the CMS DMEPOS supplier payment files for the six shell companies named in public CMS enrollment revocation actions between January 12 and February 28, 2024, and the later DOJ Operation Gold Rush indictment. Three firms stand out on raw scale:
High billing volume is not, by itself, evidence of fraud. The entities named above are referenced in connection with publicly filed CMS enrollment revocations and the unsealed DOJ Operation Gold Rush indictment. No FraudGraph inference is asserted about legitimate DMEPOS suppliers appearing in the same dataset for the same HCPCS codes.
There is a FraudGraph signature in this cluster that is worth dwelling on. Three of the six named firms — Whaba, Konaniah, Medical Home Care — had also received COVID-era PPP and EIDL loans in 2020, before pivoting to catheter billing in 2023. That is the cross-program fingerprint: federal relief recipient in 2020, Medicare DMEPOS billing surge in 2023, CMS enrollment revocation in early 2024, federal indictment in 2025. The pattern is not merely useful for retrospective storytelling. It is the kind of multi-program signal that, run forward in real time, could have flagged these entities before the billings cleared.
The single most telling fact about this episode is that the federal government's automated fraud-prevention apparatus missed a twentyfold spending surge for most of a year. What surfaced it was an accident of value-based payment design.
Under the Medicare Shared Savings Program, accountable care organizations earn bonuses when their assigned beneficiaries' total per-capita Medicare spending runs below a benchmark. When phantom catheters got billed under their patients' Medicare numbers, ACOs' benchmarks were destroyed through no fault of their own. Palm Beach ACO reported that its shared-savings payout dropped from $62 million to $45 million because of roughly $50 million in erroneous catheter billing for its attributed lives.
In December 2023, NAACOS members began alerting the association. Using CMS's Virtual Research Data Center, NAACOS identified the seven suspect firms. On February 9, 2024, the Washington Post and New York Times broke the story. On March 6, 2024, HHS-OIG issued a public consumer alert. The Republican chairs of the Senate Finance, Senate Aging, and House oversight committees demanded an investigation, citing the "significant failure" of HHS and CMS to detect the anomaly. NAACOS's analysis — not federal algorithms — is what moved the machinery.
The federal government's automated fraud-prevention apparatus missed a twentyfold spending surge. Private analysts at value-based-care organizations found it because their own bonus checks depended on finding it. That is the operational fact this episode turns on.
By the time CMS caught up, the Trust Fund was out roughly $3 billion. The recovery math is unforgiving.
CMS responded with a cascade of rulemakings unusual for their retroactivity and speed. What followed was the fastest reversal of MSSP financial methodology in the program's history — and the creation of the first CMS unit explicitly architected to intercept billing fraud before payment rather than clawing it back afterward.
Two items on that timeline deserve unpacking. First, the SAHS framework (Significant, Anomalous, and Highly Suspect billing) is the first generalized outlier policy ever built into MSSP. Codified at 42 CFR §425.670 and §425.672, it gives CMS standing authority to exclude any HCPCS code from ACO benchmark calculations when billing deviates from statistical norms — so the next A4353 doesn't wreck value-based contracts the way this one did. Second, the Fraud Defense Operations Center, launched in March 2025 with the Peraton-built Fraud Prevention System and AI/ML anomaly detection, was made permanent 38 days later after its pilot recorded $105 million in averted payments. By the end of 2025, FDOC had suspended $1.8 billion across 249 providers and revoked 127.
The least-reported fact in this story is that the fraud did not stop. A February 2026 Milliman analysis of 100% Medicare FFS data identified anomalous Q3 2025 billing for A4352 that surpassed 2023 SAHS-classified levels — some states showing 50x increases over 2024. Starting January 2026, CMS split hydrophilic catheters into two new codes (A4296, A4297), and suspect billing has begun shifting into those new codes. CMS has not yet issued SAHS guidance for CY 2025 or CY 2026, meaning ACOs reconciling 2025 performance may again be exposed.
Parallel warnings are already visible for skin substitutes, continuous glucose monitors, diabetes supplies, and wound care — categories NAACOS and AHA flagged in their April 2024 letter as the "next catheters." The CY 2026 Home Health Prospective Payment Proposed Rule moves to expand DMEPOS prior authorization for high-risk categories, but as of April 2026, A4353 itself still has no prior-authorization requirement.
Lost in the regulatory response is the simpler fact that Medicare discovers identity theft via paper mail. Because Medicare lets providers submit claims up to 12 months after service, fraudulent catheter billings typically surfaced four to six months later on a paper Medicare Summary Notice or commercial Explanation of Benefits. A Chicago Sun-Times columnist found Medicare had paid $8,749.44 on catheters she never ordered between June and November 2023 — plus $2,232 paid by her secondary Blue Cross Blue Shield plan. A commenter on a Senior Medicare Patrol bulletin reported $17,000 in "single use urinary catheters" across her EOBs. The Oklahoma Insurance Department's Medicare Assistance Program was still receiving complaints totaling $135,000 in 2026-dated fraudulent catheter charges in early 2026, suggesting the scheme's tail continues even after the indictments.
CMS now urges beneficiaries to create a Medicare.gov account to see claims in near-real-time rather than waiting for mailed MSNs six months later. That is, in effect, an acknowledgment that the paper-based oversight chain is part of what enabled the scale of the theft.
Three conclusions are defensible on the record, and each is more uncomfortable than the headline.
The oversight model was backwards. Every safeguard that worked was external to CMS's own automated systems. ACO analysts noticed the surge. Beneficiaries reading paper MSNs reported it. DOJ's Health Care Fraud Unit Data Analytics Team escalated it. CMS's own continuous billing surveillance did not. The pay-and-chase model let roughly $3 billion actually leave the Trust Fund before CMS revocations landed in early 2024. FDOC's creation in March 2025 is a tacit admission that real-time pre-payment analytics, not retrospective clawback, is the only architecture that works against transnational-organized-crime velocity.
DMEPOS enrollment is the single largest attack surface. A network of foreign nationals bought more than twenty Medicare-enrolled DME companies, re-incorporated them, and billed at scale — because Medicare's DMEPOS enrollment process does not meaningfully test beneficial ownership, track ownership changes, or flag the geographic concentration of new NPIs that characterizes phantom-supplier clusters. The Banking Alliance and the DOJ Data Fusion Center address the symptom (money laundering, detection lag); the disease is who is allowed to become a Medicare supplier in the first place.
ACOs became fraud auditors by accident, and the policy response has not yet made that formal. The SAHS framework at 42 CFR §425.672 protects ACOs retroactively but still relies on CMS to identify an anomaly. NAACOS and AHA have asked for a permanent outlier policy at the service-code level that excludes aberrant spending automatically. CMS has declined so far. Until that asymmetry is closed, every ACO is financially exposed to the next A4353, and the incentive to detect it falls entirely on private analysts using licensed federal data.
Operation Gold Rush recovered roughly $245 million against a $10.6 billion scheme and $3 billion in actual Trust Fund losses — a recovery rate under 3%. The decisive metric going forward is not indictments. It is whether CMS's FDOC can reduce the lag between billing anomaly and payment suspension from months to hours. Until it can, the next NAACOS letter is already being written — about a different code.
K3 Analytics built this report by cross-referencing CMS DMEPOS supplier payment files, PPP/EIDL loan records, CMS enrollment revocation actions, and federal court dockets through FraudGraph — a data warehouse combining 383 federal, state, and international datasets with 41 million cross-referenced entities. All named entities in this report appear in publicly filed CMS enrollment actions or in the unsealed DOJ Operation Gold Rush indictment. Dollar figures are sourced to CMS, DOJ, or HHS-OIG primary documents where available, and to Milliman or NAACOS analyses where those are the primary public source.