The Atlanta Journal-Constitution identified dozens of suspect medical providers registered with the federal government using a drop box as their office location. But it’s not clear how much, if anything, the government paid these organizations.

The Centers for Medicare and Medicaid Services would not release billing data showing what services they billed the government for and how much money they received.

CMS officials told the AJC that the information is not public, even though the Medicare and Medicaid programs are funded by taxpayers.

That stance has drawn criticism from government transparency advocates.

“In order for the public and the media to monitor how an agency performs, we have to have access to a fair amount of detail about the money they’re paying out,” said Peter Smith, Freedom of Information counselor with the Center for Public Integrity.

Critics point out that CMS sells the billing data to medical schools and other organizations that pay tens of thousands of dollars for it.

CMS also provided the Center for Public Integrity and the Wall Street Journal with Medicare billing data to settle a Freedom of Information lawsuit over the access issue. The two news organizations paid a fraction of the normal cost.

Had the issue gone to court and CMS lost, the information would be open to anyone who files a Freedom of Information Act request.

About this story

To identify federally registered medical providers that claim a drop box as a practice location, the Atlanta Journal-Constitution cross-referenced UPS Store mail box address with medical practice address locations listed in the federal provider registry.

The AJC identified 131 such providers in the metro-Atlanta region. Then, the newspaper checked state incorporation documents, court documents and medical license data and phoned physicians listed as the chief officer of the suspicious providers.

That turned up dozens of suspect organizations.

Several were created by people who were already in prison for healthcare fraud. In some cases, the doctors said that federal officials had contacted them and they were cooperating in an investigation.

Other doctors said they had never heard of the supposed medical provider and that they had no connection to the organization using their identity.

Dorsey Med Group is conveniently located for Buckhead-area patients looking for a good internist. On paper, the clinic is headed by a respected physician with 39 years of experience.

Patients might be a little put off by its size, though.

The medical office could easily hold a box of sterilized latex gloves, but not much more.

It’s located at 2625 Piedmont Road Northeast, Suite 56-331 — a UPS Store mail box.

And the doctor who is the clinic’s namesake didn’t know he was the CEO, as federal records show. He certainly never made the 192-mile drive from his Albany practice to Buckhead to see patients or review medical records.

Federal officials probably should have grown suspicious two years ago when someone using the name Olga Teplukhina incorporated the fictitious medical practice, applied for a National Provider Identification number and claimed a UPS mailbox as the practice location.

Then again, the box is the largest size UPS offers.

“So have they been billing stuff?” Dr. Harry Dorsey asked when the AJC told him the suspicious provider number was still active. “That’s identity fraud, and that really ticks me off.”

For years, officials at the agency that administers Medicare have known that fraudsters sign up as health care providers using UPS Store mailboxes and other post office box like addresses as their location. But the Centers for Medicare and Medicaid Services says it lacks the technology to identify these locations because they look like legitimate street addresses, not like the easily identified post office box addresses.

CMS doesn’t even stop providers from using post office boxes, though. They know they should and they know it’s simple, but the agency still has in its system nearly 300 providers nationwide using post office boxes as their location, according to an AJC analysis of the CMS provider registry.

So when will CMS be able to flag the providers using UPS Store addresses and boot any scammers? The agency says it has no timeline.

CMS officials insist they don’t need to hurry because anyone trying to rip off a federal health care program would first need to enroll in the Medicare billing system. That process should – probably, hopefully – snag anyone using a UPS Store as a practice location because it involves a more stringent review.

Don’t tell that to Ryan Stumphauzer, a former federal prosecutor in the Southern District of Florida who specialized in health care fraud.

“They’ve got a fake NPI, they’ve got a fake address, but they’re not concerned yet?” he asked.

“That’s like seeing a man pacing back and forth in front of a bank with a mask on and he has something tucked under his shirt, but you don’t do anything because he hasn’t gone into the bank yet,” Stumphauzer said. “Not addressing these problems up front is what costs the system $60 billion each year.”

Even if the phony health care provider doesn’t bill Medicare directly, the government is left vulnerable to other fraud schemes, said Malcolm Sparrow, a professor of public management at Harvard’s Kennedy School of Government.

Using a sham provider number and a UPS Store address, a scam artist can provide what looks like a real physician’s approval for unnecessary or non-existent medical services and equipment for a company that is registered to bill Medicare.

Should CMS ask the doctor if the services or equipment were necessary, the agency’s inquiry goes to the UPS Store mailbox. The fraudster then assures the agency of the need.

While CMS officials say they can’t find these fake medical providers, identifying them is not hard.

The AJC used an inexpensive software program and a list of UPS Store addresses found on the Internet. That turned up 131 CMS-registered medical providers across metro Atlanta claiming a UPS Store as their practice location.

Most likely filled out their paperwork incorrectly and are not committing fraud. Some were already under investigation, while others have been identified as fronts for fraud schemes and the perpetrators prosecuted and convicted.

But several physicians said they were stunned when the AJC told them a provider number was created using their name.

And two dozen of the 131 identified by the AJC are now under review by a federal contractor after the newspaper brought its findings to the attention of the U.S. Department of Health & Human Services Office of the Inspector General.

“If one company is defrauding the Medicare trust fund, that’s one too many,” said Kelly McCoy, assistant special agent in charge of the watchdog agency in Atlanta. “This agency will diligently pursue any evidence of fraud.”

Taxpayers bear burden

Accurate estimates of the cost of health care fraud do not exist, Sparrow said. But he told the U.S. Senate in 2009 that fraud could siphon off $100 to $500 billion a year.

The cost is borne by federal taxpayers who support Medicare, state taxpayers who support Medicaid and customers of private insurance companies.

Estimating the cost of specific fraud schemes, like a scam using UPS boxes, is even trickier. But the scheme can be lucrative.

More Than Ready Company, located at a UPS store on Peachtree Industrial Boulevard in Atlanta, was among a number of companies that billed Medicare for fraudulent injections of medication. The provider billed Medicare for $1.2 million. Eventually, several people were convicted of health care fraud as a result.

More Than Ready Company still has an active provider number, however. CMS says that’s because even companies used to commit health care fraud can still render services for private health insurance plans.

These suspicious organizations sprout up across the country. Outside of Atlanta, in spot checks the AJC identified potentially fraudulent providers in Louisiana, Florida, Kentucky, Ohio, Texas and Massachusetts.

Two years ago, a man calling himself Dulat Adilshin created IEDM Services, Inc. The supposed obstetrics and gynecology office was located in a UPS Box Store mailbox in Baton Rouge.

According to CMS records, Dr. Edan Moran is the CEO. Moran is an obstetrician, but his practice is in Alexandria, Louisiana, more than 100 miles from the UPS Store in Baton Rouge.

Moran said he does not know Adilshin and he does not know IEDM Services.

“Knowing that someone’s abusing the system using my information while I’m delivering a baby at 2 o’clock in the morning, yeah, that’s aggravating,” Moran said.

Adilshin also created a family medical practice called JPT Group Inc. It’s located in a UPS Store in Metairie, La. The same day he incorporated Oak Hill Health Services at a UPS Store in Baton Rouge.

In Florida, Adilshin incorporated Mona Med Group and Fortal Tech Corp. In South Carolina, he started Saluda Care Group, Inc. and Newberry Tech Corp.

And in 2010, Adilshin incorporated Meadows Med Group Inc. in Georgia.

The fictitious family-medical practice is located in a UPS Store mailbox on Hugh Howell Road in Tucker, according to CMS. Agency records list Dr. David Derrer, a family physician at Georgia Highlands Medical Services in Atlanta, as the CEO.

But Derrer said he never heard of Meadows Med Group or Adilshin before receiving a phone call from the AJC. An extensive background search by the AJC could not find any record of Adilshin in the United States.

“The worrisome thing is that they’re using this information,” Derrer said. “They might be able to write prescriptions or other weird things like that.”

It’s troubling to Stumphauzer as well.

“As a former prosecutor, what you’re seeing are the ripening components of a fraud scheme,” he said. “To me, I can’t imagine any reason to obtain a NPI, hijack a doctor’s name and use a UPS box as a practice location unless you intend to commit fraud.”

Derrer and Moran said they are working on having the phony provider numbers in their names cancelled.

Dorsey said he cancelled the fake provider number in his name last month. It was a frustrating process. It took two weeks to convince CMS to cancel it.

Obtaining a fake provider number is much less difficult than cancelling one. Scam artists can find almost all the information they need from a state medical licensing website. After that, they fill out a short application on the CMS website.

That’s it.

CMS officials wouldn’t discuss this issue on the record, but they said they know there are loopholes in the system.

“Over the last several years we have stepped up our efforts to fight Medicare fraud and we are continuing our work to crack down on anyone who tries to steal from seniors and taxpayers,” CMS officials said in a prepared statement.

They will face pressure to do so.

CMS should address the vulnerabilities identified by the AJC right away, said Sen. Tom Carper, D-Del., the chairman of the Senate subcommittee on Federal Financial Management, in a statement to the AJC.

“Medicare officials should lay out specific steps to ensure that Medicare providers are delivering legitimate health care services and not simply setting up a post office box to help them collect federal reimbursements for care they haven’t provided,” Carper said. “I will follow up with Medicare officials to make certain that they are doing everything in their power to ensure that taxpayer funds are being spent properly.”

Schemes hard to sport

Once the fake providers are in the system, their schemes are difficult to spot. And they are even more difficult to stop.

Michel De Jesus Huarte and his associates billed Medicare for $61 million in fraudulent services by the time he was caught, according to the U.S Attorney’s Office for the Southern District of Florida.

Huarte opened 29 clinics in Florida, Georgia, Louisiana, North Carolina and South Carolina, many in abandoned store fronts and others in UPS Store mailboxes. He paid straw owners up to $200,000 to incorporate the clinics and then flee the country if law enforcement found them.

In Atlanta, Huarte’s Elusive Quality, located at a UPS Store on Peachtree Street, billed Medicare for $3.5 million. Another clinic, Strong Hope Company, located at a UPS Store mailbox on Roswell Road, billed Medicare for $2 million. Both still have active CMS provider numbers.

He used stolen insurance numbers from Medicare-eligible patients, obtaining them from employees of a call center that signed people up for Medicare services.

The criminal organization either bribed doctors for their billing information or, if that didn’t work, they stole it. Huarte and his associates hired doctors to serve as a medical director for clinics. If a doctor became suspicious and left, Huarte kept using their billing information.

Even when law enforcement officials uncovered one of his phony companies, Huarte could easily abandon it and incorporate a new clinic at another UPS Store mailbox. Then he started billing again.

“They hit us and then they’re gone,” McCoy said.

Federal officials call this kind of enforcement a pay and chase system. Medicare pays out millions of dollars in fraudulent claims. Law enforcement then chases down the bad guys.

But at that point, the money is gone. Most is never recovered.

Enforcement questioned

CMS could avoid cutting checks to these fraudsters by enforcing an already existing regulation.

The agency’s own rules require doctors authorizing treatment or medical equipment to enroll to bill Medicare. This means the doctor is supposed to pass through an additional level of scrutiny that should uncover providers using a UPS Store as a practice location.

But in practice, CMS pays out claims authorized by doctors who do not undergo the heightened scrutiny. Instead of denying the claim, the agency sends the medical provider a letter warning that future claims missing the proper billing number could be rejected someday.

CMS does not enforce the regulation because Medicare receives so many claims without the proper registration numbers that rejecting those claims would cause a shock to the system, CMS officials said. Most of these claims are assumed to come from legitimate providers who failed to fill out the paper work correctly.

Agency officials would not say when or if they plan to enforce the regulation.

CMS has made a push over the last four years to halt fraud. In 2010, the agency investigated 823 providers that were enrolled to bill Medicare and claimed a UPS Store mail box as a practice location. As a result, 134 providers were kicked out of Medicare.

Yet, some fraud experts are skeptical that CMS ever plans to address the problems that still exist. They say CMS is scared additional regulations will drive legitimate providers out of the system.

CMS officials say they will try to close the loopholes in the system – once they have a comprehensive, automated screening process in place.

Meanwhile, Dr. Douglas Boyce could wait a long time before CMS cancels the provider number for White Pillar Care Inc. The Louisville doctor is listed as its CEO.

His office manager, Jan Minter, said CMS told her a couple of years ago that the company was billing Medicare using Boyce’s credentials.

“That’s amazing, I’m actually dumbfounded that he’s still listed as the CEO,” Minter said. “The government knows about this and they still have him listed? Wouldn’t you think they would have taken his name out and stopped using that number?”