CMS Administrator Dr. Oz has been on a veritable press tour trumpeting the supposed rampant fraud in Medicaid and other government programs, which nationally he claims could add up to as much as $100 billion, presumably in a single year – though he hasn’t specified a timeframe. The White House recently established the Task Force to Eliminate Fraud, targeting state-administered programs that receive federal funding, to be overseen by the Vice President, and some states have received Congressional inquiries (KFF, Figure 3) about potential fraud in Medicaid. As my colleague Andy Schneider has thoroughly explained in his series about waste, fraud, and abuse in Medicaid, these are complex issues, and while we all want to stop fraud in Medicaid, the current administration efforts are punitive and not focused on collaborating with the state improve Medicaid fraud detection and prevention.
Dr. Oz and the current administration are also treating fraud in health insurance as though it is unique to government programs (it’s not) and as though it is a new issue (it’s not). So, what laws are already in place governing fraud against Medicaid? And what have states been doing about it?
Medicaid fraud is being addressed by ongoing efforts
State Medicaid agencies are in the best position to identify and address fraud within their programs. Under federal Medicaid law, these agencies are legally responsible for identifying and investigating suspected fraud cases, often via Program Integrity Units (PIUs), and referring them to law enforcement officials. Another protection is having a Medicaid Fraud Control Unit (MFCU; 42 CFR 455.13; 42 CFR 455.21) that is external to state Medicaid agencies. All 50 states, DC, Puerto Rico, and the U.S. Virgin Islands operate a MFCU, which are overseen, certified, and federally funded by the U.S. Department of Health and Human Services Office of the Inspector General (OIG).
Released last month, OIG’s annual report shows that MFCUs recovered $2 billion in fiscal year 2025 (FY25) from 1,185 criminal convictions and 674 civil settlements. The number of both criminal and civil cases are down from pre-pandemic levels, but rising since lows in 2020 and 2023, respectively.
In criminal cases, $17 million was recovered from patient abuse and neglect cases, and $1.2 billion of the recoveries were from fraud cases. Approximately half — $650 million — of the criminal fraud recoveries was from a single case in Virginia in which McKinsey settled criminal charges against it for fraudulent conduct in the aggressive marketing of prescription opioids. The remainder of the recoveries by MCFUs nationally were from civil cases, with pharmaceutical manufacturers accounting for the largest number of civil settlements. Tables available for download were also released alongside the report showing how each individual state is performing and, while there is always room for improvement, many are delivering results.
Importantly, nearly all Medicaid fraud is perpetrated by providers, not enrollees, which the OIG report delineates by type. Personal care service attendants were the provider type involved in the most fraud convictions by a wide margin, followed by non-residential mental health facilities, nurses, non-emergency medical transportation providers, and durable medical provider distributors. Available as an option since the 1980s, home- and community-based services (HCBS) have seen rapid growth as a product of many years of policy shifts away from expensive institutional care. With our nation’s aging population and overburdened healthcare system, the shift toward HCBS is a positive one, but it comes with many challenges like workforce shortages and program integrity. For this reason, electronic visit verification (EVV) was established under the 21st Century Cures Act for all Medicaid personal care services and home health services, requiring states to implement this additional validation system matching visit information to Medicaid claims to ensure accuracy.
Aside from MFCUs, there are additional program integrity regulations that states must adhere to, as well as contractual requirements for managed care organizations (MCOs) aimed at detecting fraud within the insurer’s networks.
State efforts are evolving and showing results
MFCUs are cost effective: they recovered $4.64 for every $1 spent on their operation in FY25. Some states do even better; Tennessee reported a return on investment of around $10 for every $1 spent on their MFCU (in FY22). State efforts are also continuing to evolve, both within and aside from MFCUs:
- Illinois created a position dedicated to managed care program integrity, titled the Chief Managed Care Program Integrity Officer under their Medicaid department’s OIG office in FY24.
- Minnesota’s Governor Tim Walz signed an Executive Order in September 2025 emphasizing his administrations recent actions to combat fraud, like hiring new inspectors general at various state agencies, and ordering new actions be taken by the Department of Human Services, like immediately disenrolling providers who have not billed for services in the last 12 months. He also announced a new statewide Director of Program Integrity to strengthen fraud prevention efforts. Meanwhile, the Minnesota legislature continues to consider the Bipartisan Medical Assistance Protection Act (HF2354; SF2689) following introduction last year that increases criminal penalties for Medicaid fraud and expands the state attorney general’s power to subpoena financial records during fraud investigations.
- Virginia recently joined other states by swearing-in a subset of their MFCU investigators to allow them powers of law enforcement, as reported in their MFCU’s quarterly newsletter. Their FY24 annual report comprehensively details open investigations, convictions, and recovery amounts for criminal and civil cases by provider type. This same report shows the amount of recoveries that the Virginia MFCU has made in total since their inception in 1983: $4.1 billion over 43 years.
Finally, though low compared to the number of people covered and providers in MCO networks, fraud referrals to MFCUs from MCOs have been increasing over the last 5 years, hitting a high in FY25 of nearly 6,000 referrals from which 1,134 cases were opened. MCOs operate under contracts with the state to cover their Medicaid population and develop a provider network, making them a clear touch point for both patients and providers. This is evidence that the contractual requirements of MCOs to refer suspected fraud to MFCUs are working and could be further enhanced by incentives.
Conclusion
There is fraud against Medicaid, as there is against Medicare and private health insurance companies. The federal government should do what it can to help state Medicaid agencies, which administer the program on a day-to-day basis, hold bad actors accountable and fight fraud in systematic and sustainable ways. While federal regulations provide an important baseline for integrity in Medicaid, states are better positioned than the federal government to identify and resolve issues of Medicaid fraud and already have systems in place that should be strengthened to protect against new fraud schemes. The relevant entity at the Department of Health and Human Services, whether CMS or OIG, should find areas for collaboration with states to improve fraud prevention and detection, such as bolstering MFCU funding, ensuring effective implementation of EVV for home-based care, and supporting infrastructure to monitor providers of all types like non-emergency medical transportation and durable medical equipment providers.