False Scripts, Real Failures in Credential Control

The guilty plea of a Staten Island pharmacy owner for submitting fraudulent prescriptions to Medicare and Medicaid adds to a growing list of cases demonstrating the vulnerability of U.S. healthcare payment systems, not through complex deception, but through basic credential exploitation.

On July 15, federal prosecutors announced that Thomas Conzo, owner of Elite Pharmacy in Linden, New Jersey, admitted to submitting hundreds of thousands of dollars in false claims between August 2022 and March 2023. Conzo used the credentials of legitimate pharmacists who never worked for his pharmacy to generate and submit prescriptions that were neither authorized nor reviewed by qualified personnel. The fraud ran just seven months before detection, but during that time, taxpayer-funded programs were charged for medications that were never appropriately verified or dispensed.

This case reflects an alarming flaw in how Medicare, Medicaid, and commercial plans authenticate clinical credentials tied to claims. The healthcare system continues to rely on surface-level validation mechanisms that presume credential usage equates to credential authorization. As this case shows, that assumption can be dangerously misplaced.

Identity Misuse Is Not Identity Theft

The Conzo scheme did not involve stolen identities in the traditional sense. Instead, it involved the unauthorized use of real, valid pharmacist credentials to submit prescriptions under false pretenses. This distinction matters—because it highlights a regulatory and operational blind spot in payer systems that verify the existence of a credential without confirming its use in context.

According to a 2024 Office of Inspector General (OIG) report, several state Medicaid programs lack systems to confirm whether the NPI (National Provider Identifier) used in a claim is actively associated with a working relationship at the submitting pharmacy or clinic. This opens the door to schemes like Conzo’s, where documentation appears legitimate but is detached from any actual clinical oversight.

The pharmacy’s use of valid pharmacist NPIs for unauthorized prescriptions raises deeper questions: Why do claims systems not routinely flag mismatches between credential usage and provider rosters? And why are NPIs not paired with real-time verification protocols that tie them to active employment or contractor status?

Pharmacy Fraud Is Not Just an Opioid Problem

Historically, high-profile pharmacy fraud cases have centered on controlled substances, particularly opioids. But the Elite Pharmacy case reveals how routine prescription workflows, unrelated to narcotics, are just as vulnerable to abuse.

The Centers for Medicare & Medicaid Services (CMS) has previously published guidance urging plans to monitor prescription patterns for anomalies, including unusual prescriber volumes or rapid claim escalations from newly enrolled pharmacies. Yet implementation varies widely across state Medicaid agencies and pharmacy benefit managers. A 2023 Fierce Healthcare investigation found that smaller, independent pharmacies are often onboarded with minimal due diligence, particularly when operating under specialty pharmacy designations.

Elite Pharmacy operated for just over seven months before detection, raising concerns about whether licensing boards, PBMs, and Medicaid enrollment protocols are sufficiently robust during the early phases of a pharmacy’s operational lifecycle. Fraud during this “onboarding gap” is not only predictable, it is increasingly common.

Credential Integrity Must Be a Real-Time Mandate

A key lesson from the Conzo case is the need for dynamic credential verification, not just static provider enrollment. Current systems allow credentials to be used long after employment relationships end or, in this case, without any employment at all.

The National Council for Prescription Drug Programs (NCPDP) has called for tighter integration between state licensure boards, PBMs, and claim processors to cross-check NPI usage in near real time. However, implementation remains sparse. A 2024 GAO briefing found that only a fraction of Medicaid programs currently flag pharmacist credentials that appear on claims but do not match active licenses on file at the dispensing location.

This technical lag creates a structural risk. Fraudsters do not need to forge documents or hack systems. They simply need to borrow credentials and operate faster than regulators can detect mismatches.

Beyond Sentencing: Systemic Implications for Compliance Teams

Conzo’s sentencing, scheduled for December, may bring judicial closure. But for compliance officers, payers, and health system executives, it should reopen critical questions about credential governance.

First, how are NPIs and pharmacy identifiers managed within claims engines? Are systems calibrated to detect when a credential is being used outside of its registered site of service?

Second, what onboarding and real-time monitoring capabilities exist across PBMs, Medicaid MCOs, and plan sponsors to verify active employment or authorization status?

Third, how can payer networks and regulators collaborate to implement credential-reconciliation tools that flag potential mismatches before disbursement?

The infrastructure to address these questions exists. What remains lacking is the mandate, and accountability, for applying it in operational practice.

Fraud Tactics Will Continue Evolving. So Must Verification Models.

The fraud in this case was not novel in its structure. It did not rely on technological sophistication or insider hacking. It relied on the assumption that once a credential is approved, its use will not be questioned. That assumption continues to expose systemic weaknesses at the intersection of healthcare payments and provider identity.

For health systems and payer organizations, this case should serve as more than a cautionary tale. It is a call to move credential verification out of the realm of enrollment paperwork and into live claim streams. Until verification is integrated into daily operations, not just compliance checklists, fraud will remain a low-risk, high-reward endeavor for bad actors with access to basic credentials.