When Provider Numbers Become Passwords

A one-year-and-a-day federal sentence rarely changes the trajectory of Medicaid fraud on its own. The bigger signal comes from the mechanics of the scheme. In a February 10, 2026 announcement from the U.S. Attorney’s Office for the District of Connecticut, a licensed substance use counselor admitted to billing the Medicaid program for psychotherapy sessions that were not provided, then attempted to withstand scrutiny by producing false clinical documentation during an audit. The facts are local. The vulnerabilities are national.

Behavioral health is the easiest place in modern healthcare financing to confuse “care happened” with “paper exists.” That gap is not just a fraud vector. It is also a reflection of how access, clinical reality, and payment policy collide in a care domain already short on capacity and long on administrative friction. Any serious program integrity strategy has to close the gap without turning it into a locked door for legitimate providers and patients.

Behavioral health is a fraud target because it is also an access target

Behavioral health and substance use treatment depend on longitudinal relationships, subjective symptom reporting, and care plans that evolve in small, frequent increments. Unlike imaging, labs, or procedures, many outpatient counseling services leave behind limited objective artifacts. Payers rely on time-based codes, progress notes, and a rendering provider identifier. When those inputs are treated as sufficient proof, a provider number can start functioning like a password.

That design choice made sense when claims volume was lower, documentation was paper, and abnormal patterns were more visible at a human scale. It breaks down in a world of high-throughput billing, widespread subcontracting, and staffing instability. It also breaks down when program rules allow broad flexibility in where and how services are delivered, but oversight tools remain built for a slower era.

The Connecticut case underscores a familiar pattern: fraud does not require sophisticated clinical deception. It requires operational permission. Once a bad actor can submit claims under a legitimate enrollment record, the system often defaults to “pay and chase,” especially for services that look clinically plausible and fall below the radar of high-dollar utilization controls.

Audits that arrive years later create a predictable playbook

The most revealing detail in many Medicaid fraud cases is not the initial false billing. It is the second-stage behavior when oversight begins to ask questions. In Connecticut, the attempted concealment involved providing fraudulent patient records in response to an audit. That is not a loophole. It is a feature of delayed detection.

When scrutiny begins long after the billed dates of service, real care teams have changed, patients have moved, documentation systems have migrated, and memories have faded. Fraudsters take advantage of that fog. Legitimate providers suffer under it, too, spending months reconstructing documentation to prove compliance rather than improving care delivery.

The Centers for Medicare & Medicaid Services explicitly frames Medicaid program integrity as a combination of prevention, detection, and recovery, including contractor audits and provider education through the Medicaid Integrity Program. The core model remains visible on CMS’s own program integrity overview. The challenge is that recovery-focused oversight is structurally disadvantaged in behavioral health, where documentation is easier to fabricate and harder to disprove after the fact.

Improper payments are not fraud, but fraud hides in the same shadows

A persistent policy mistake is to treat “improper payments” as a synonym for “fraud.” CMS is clear that the Medicaid Payment Error Rate Measurement program is not a fraud rate; it measures payments that fail to meet program requirements. That distinction matters because most errors are administrative. The PERM program description makes that point directly, and it aligns with broader analyses from organizations such as the Center on Budget and Policy Priorities that emphasize documentation and eligibility issues as major drivers of measured error in Medicaid.

But the distinction can become an excuse to underinvest in the gray zone where errors and intentional deception overlap. Fraud thrives where compliance processes are inconsistent, provider screening is uneven, and documentation requirements are unclear enough that fabricated records can pass a superficial review.

The policy response cannot be to turn counseling notes into litigation-grade transcripts. It has to be to improve the credibility of proof that services occurred, and to make falsification harder than compliance.

Provider screening is necessary, but not sufficient, for behavioral health

Bad actors often enter programs through gaps in enrollment controls. CMS has acknowledged that provider screening and enrollment remain foundational to prevention. The agency’s Comprehensive Medicaid Integrity Plan for FY 2024–2028 highlights screening and revalidation as key tools to keep ineligible or high-risk providers from billing in the first place.

Yet behavioral health fraud frequently involves credentialed professionals, not only fake entities. Licensure and enrollment check the “who.” They do not continuously validate the “did it happen” in a way that scales. When billing rights can be effectively leased through a rendering provider number, screening becomes a one-time gate in front of a long hallway.

That is why program integrity strategy needs to move from static credentialing to continuous monitoring, especially for services where the documentation is inherently narrative.

The oversight stack that fits behavioral health

A more realistic integrity approach for outpatient counseling and substance use services has to combine several layers, none of which is sufficient alone.

First, identity and attestation controls should become tighter without becoming punitive. If a claim requires a rendering clinician identifier, the operational environment should make it difficult for someone else to use it casually. In other industries, credential theft is treated as a security problem, not an auditing problem. Healthcare remains behind that curve.

Second, prepayment analytics should be deployed more selectively. The goal is not blanket prior authorization. The goal is targeted friction where patterns suggest elevated risk: impossible schedules, extreme daily volumes, repeated high-duration sessions, or billing profiles that diverge sharply from peers. The Government Accountability Office has repeatedly emphasized the complexity of estimating and overseeing improper payments in Medicaid, including managed care, and the need for stronger oversight mechanisms. GAO’s June 2025 report on Medicaid managed care improper payment estimates illustrates how methodological and oversight gaps can persist even when measurement improves. (See GAO’s product page for GAO-25-107770.)

Third, documentation integrity should shift from “more text” to “better corroboration.” A counseling note can be fabricated in minutes. Corroboration is harder: consistent timestamps, appointment scheduling traces, treatment plan continuity, and patient outreach records. The goal is not surveillance. It is traceability.

Fourth, audit timing should change. Retrospective audits will always exist, but behavioral health needs faster feedback loops that catch anomalies early enough that real records still exist and patients can still be contacted. That is as much about operational design as it is about enforcement budgets.

Enforcement still matters, but it should not be the first line of defense

Federal investigations do not happen by accident. They are built on coordination, data, and sustained attention. In Connecticut, the case involved the U.S. Department of Health and Human Services through the HHS Office of Inspector General and the Federal Bureau of Investigation, with state support from the Connecticut Department of Social Services. That interagency posture is an asset.

HHS-OIG has also signaled, through its public work planning, that Medicaid payment vulnerabilities remain a continuing priority. The agency’s Work Plan and its Medicaid-focused project listings show ongoing attention to questionable billing patterns and payment compliance in service categories where documentation and oversight are difficult at scale.

But law enforcement should remain a backstop, not the primary control environment. When criminal cases become the most visible integrity mechanism, the system is already operating in “recover and punish” mode. That is expensive, slow, and unevenly deterrent—especially for smaller-dollar fraud that can be replicated across many providers.

The more durable deterrent is a claims ecosystem where fraudulent billing is harder to execute, easier to detect quickly, and more likely to trigger administrative action before it matures into a multi-year scheme.

What the Connecticut case should trigger in state strategy discussions

The lesson is not that more audits are needed. The lesson is that behavioral health requires a different integrity architecture than physical medicine.

States and CMS should treat rendering provider identifiers as high-risk credentials and modernize the operational assumptions around their use. High-volume outpatient counseling billing should be continuously monitored, not periodically sampled. And documentation policy should emphasize corroboration and continuity rather than length and narrative flourish.

Most importantly, program integrity cannot be framed as the enemy of access. Fraud and weak controls siphon dollars away from legitimate providers, distort the perceived cost of behavioral health, and invite blunt policy responses that inevitably land on compliant clinicians and vulnerable patients. The most effective integrity systems are the ones that narrow their focus: friction where risk is elevated, speed where delay enables deception, and clarity where ambiguity invites manipulation.