Set a thief to catch a thief
by Yubin Park, Co-Founder / CTO
Want to know how healthcare fraudsters think? The old proverb "set a thief to catch a thief" isn't just wisdom—it's strategy. To build effective fraud defenses, we need to answer three questions: Where are the system vulnerabilities? Which gaps offer the highest reward for the lowest risk? How can legitimate processes be weaponized?
At Falcon Health, our fraud detection platform Sentinel is built on this principle. We don't just catch known patterns. We think like the adversary.
The Fraudster's Toolkit: Three Core Strategies
Healthcare fraudsters employ sophisticated strategies that exploit fundamental weaknesses in payment systems. Understanding these tactics is essential for building effective defenses.
1. Timing and Threshold Gaming
Fraudsters are students of the system. They know exactly where the tripwires are—and they stay one step away.
- Billing just below automatic review triggers: They understand exactly where audit thresholds lie and keep individual claims strategically under those limits
- Striking during enforcement gaps: Government shutdowns, policy transition periods, and holiday seasons become prime opportunities for fraudulent activity
- Ramping slowly to avoid statistical anomalies: Rather than sudden spikes that trigger alerts, fraudsters gradually increase billing volumes to appear as organic growth
Top tip
Fraudsters bill just below audit thresholds, ramp up slowly to avoid statistical flags, and strike during enforcement gaps. They're not guessing—they're gaming the system with precision.
2. Identity & Network Manipulation
The dark web has transformed healthcare fraud from a cottage industry into organized crime:
- Stolen patient identities: Real patient information purchased from data breaches provides the foundation for seemingly legitimate claims
- Shell networks of related NPIs and entities: Complex webs of interconnected providers and entities obscure ownership and make patterns harder to detect
- Dissolve and recreate when flagged: When one entity gets flagged, fraudsters simply shut down and reappear under new identities, learning from what triggered suspicion
3. Documentation Theater
Perhaps the most insidious evolution is the professionalization of fraud documentation:
- AI-generated clinical notes: Modern language models can create clinically plausible documentation that passes initial scrutiny
- Fake paper trails: Appointment systems, phone logs, and other supporting documentation create an illusion of legitimacy
- "Looks legitimate enough": The goal isn't perfection—just enough authenticity to survive initial reviews before the money is paid out
Top tip
The modern fraudster doesn't need perfect documentation—just good enough to pass initial review before the payment goes through. AI-generated notes and fake paper trails have made this disturbingly easy.
Where the System is Most Vulnerable
Understanding fraudster tactics reveals critical vulnerability categories in healthcare payment systems. While there may be other potential vulnerabilities, these are the patterns we've observed most frequently while working with our clients recently.
LCD Gaps: Policy Arbitrage Opportunities
Local Coverage Determinations (LCDs) are Medicare policies that define coverage criteria, but their complexity creates exploitable gaps:
- Shopping between MAC jurisdictions: Different Medicare Administrative Contractors have varying policy interpretations, allowing fraudsters to "jurisdiction shop" for the most lenient coverage policies
- Policy transition windows: When policies change, there are temporary gaps in enforcement as systems update and staff adapt
- Gray areas in coverage determinations: Ambiguous language or edge cases in coverage policies become prime targets for aggressive billing
Hard-to-Verify Services: The Trust Problem
Certain service categories are inherently difficult to verify, making them fraud magnets:
- Telehealth services: Post-COVID expanded telehealth coverage created new opportunities, as virtual visits are harder to verify than in-person care
- Subjective evaluations and consultations: Services based on provider judgment rather than objective tests are difficult to challenge
- Home health services: With limited oversight of care delivered in patients' homes, documentation becomes the only verification method—and documentation can be fabricated
Price & Bundling Opportunities: Maximizing the Take
Fraudsters exploit pricing complexity and bundling rules to maximize payments:
- Billing at maximum allowable amounts: Always choosing the highest-paying code variation, even when simpler services would be more appropriate
- Bundling unnecessary services: Adding extra services alongside a legitimate "anchor service" that makes the entire claim appear reasonable
- Regional pricing inconsistencies: Exploiting geographic price variations by billing from high-reimbursement areas or manipulating location data
Real-World Case Study: Genetic Testing Fraud
Theory meets reality. Here's an actual clinical laboratory vendor detected by Sentinel.
A high-risk genetic testing provider identified by Sentinel showing critical risk indicators across multiple subanalysis dimensions.
The Pattern:
- Exploiting LCD gaps: Operating in gray areas of genetic testing medical necessity where coverage policies are ambiguous
- Documentation theater: Creating plausible-but-questionable medical necessity documentation
- Bundling strategies: Charging for comprehensive test panels when simpler testing would suffice
- Identity concerns: Multiple customers reported stolen identities, surprise billing, and inaccurate billing on Reddit, Better Business Bureau, and other platforms
The Impact:
Sentinel risk score: 65.7/100 (HIGH). LCD analysis and billing patterns flagged the highest concerns—25% and 22% weights respectively. The case is driven by definitive external evidence: DOJ investigations, overwhelming consumer complaints, and systematic billing of over $23.5 million for a single "Not Covered" service.
The Problem: Despite ongoing DOJ investigations, this vendor continues billing Medicare. It's a stark reminder that stopping fraud once it's established is extraordinarily difficult.
Real-World Case Study: UTI Catheter Fraud (Ongoing)
This one is happening right now. A DME vendor billing Medicare for UTI catheters—and the numbers are staggering.
An active DME vendor case showing extremely high fraud risk indicators, particularly in online reputation and billing analysis.
The Red Flags:
- Sudden appearance: The vendor materialized in Medicare billing records in late 2024 with zero prior history
- Explosive growth: Already generating billions of dollars annually from UTI catheters alone
- Identity theft reports: Consumers are already reporting stolen identities used for fraudulent claims
- Strategic exploitation: Leveraging LCD gaps, identity theft, and hard-to-verify home delivery services
The Numbers:
Sentinel risk score: 70.7/100 (HIGH). Reputation risk: 100.0/100 (CRITICAL). That's overwhelming evidence of fraud from consumer complaints, external confirmation of identity theft, and explosive billing growth that defies statistical probability.
The DME space is particularly vulnerable—high reimbursement rates, low verification requirements, home delivery that's nearly impossible to audit. This case demonstrates how quickly sophisticated fraudsters can exploit these gaps. We're talking billions of dollars in potential exposure, and it's happening right now.
Building Better Defenses: The Counter-Thief Approach
Traditional fraud detection catches known patterns—fighting yesterday's war. The "set a thief to catch a thief" approach inverts this: understand how fraudsters think, identify vulnerabilities before they're exploited at scale.
This is why we built Sentinel to think like an investigator, not a pattern-matcher. Our system asks:
- Timing patterns: Does billing behavior suggest threshold gaming or exploitation of enforcement gaps?
- Entity complexity: Are provider networks structured to obscure ownership or liability?
- Documentation quality: Does the clinical documentation tell a coherent story, or is it "documentation theater"?
- Vulnerability alignment: Are providers concentrating on hard-to-verify services or LCD gray areas?
- External validation: What are consumers, peer providers, and public records saying about this provider?
Top tip
The genetic testing and UTI catheter vendors weren't flagged for matching known fraud patterns. They were flagged because their behavior aligned with fraudster tactics—exploiting LCD gaps, targeting hard-to-verify services, and generating overwhelming consumer complaints.
The Arms Race Continues
Healthcare fraud isn't a static problem with a permanent solution. It's an arms race. Fraudsters are learning, adapting, exploiting new technologies like AI-generated documentation.
Our defenses must evolve at the same pace. Understanding the adversary—their tactics, their targets, their thinking—is the first step toward building fraud detection systems that stay ahead of the curve instead of perpetually playing catch-up.
The Bottom Line: You can't catch a thief without thinking like one. The organizations that win this arms race won't be those with the best pattern-matching algorithms. They'll be the ones who understand how fraudsters exploit vulnerabilities—before billions of dollars walk out the door.
Want to learn more about how Sentinel uses investigative AI to detect sophisticated fraud schemes? Contact us for a demo of our platform.