GM, Welcome Back to the Dead Drop.

Last week we opened this series with a simple thesis: the people you trust are the problem. A Brooklyn banker laundering millions. A Queens daycare bribing the elderly. Both exploited the same vulnerability: the assumption that insiders are trustworthy.

This week, we go bigger. Much bigger.

Because while those schemes operated in the millions, a transnational criminal organization based in Russia was running the same playbook at industrial scale, submitting $10.6 billion in fraudulent Medicare claims using the stolen identities of more than one million Americans. The DOJ called it Operation Gold Rush. It is the largest healthcare fraud case by dollar amount ever charged in American history.

And the product at the center of it all? Urinary catheters.

Starting in late 2022, the organization quietly purchased dozens of small medical supply companies already enrolled with Medicare across the United States. These weren't shell companies built from scratch. They were legitimate businesses with clean billing histories, active Medicare credentials, and established banking relationships. The TCO bought them outright, installed foreign nationals as nominee owners using fabricated corporate records, then flipped the switch.

Within months, these companies began submitting a flood of claims for intermittent urinary catheters, continuous glucose monitors, and other durable medical equipment. The patients named on those claims never ordered the supplies. Never received them. Most didn't even know their identities had been stolen.

The numbers were staggering. Collectively, the scheme companies billed for more than one billion catheters. An HHS investigator noted publicly that the United States may not even have the manufacturing capacity to produce that many in the timeframe the claims covered. Nobody at the point of submission noticed that detail.

Why catheters? Because they're cheap. Low-cost items attract less automated scrutiny than high-ticket equipment or surgical procedures. A single catheter claim doesn't trigger the same red flags as a $50,000 power wheelchair. But multiply that low-cost claim across a million stolen identities, through dozens of companies, and the math gets obscene fast.

Here's where the operation reveals its real sophistication: not in the billing, but in the extraction.

Medicare's payment system works on a split. Medicare covers 80% of approved durable medical equipment claims. Medicare Supplemental Insurance, commonly called Medigap, covers most or all of the remaining 20%. These Medigap insurers are contractually obligated to pay their portion once Medicare processes a claim.

The keyword is "processes," not "pays."

CMS and the HHS Office of Inspector General deserve credit here. Their Data Analytics Team detected the anomalous billing patterns and moved to freeze payments. Of the roughly $4.45 billion scheduled for Medicare disbursement, they blocked all but approximately $41 million. That's a 99% prevention rate on the Medicare side.

But the Medigap insurers kept paying.

Because the system was never designed for this. Once Medicare processes and adjudicates a claim, supplemental insurers automatically pay their portion. Even when Medicare subsequently suspends or freezes payments to the provider, the Medigap checks keep arriving. The organization knew this. They counted on it. And they collected approximately $900 million from those supplemental insurers before the operation was dismantled.

One case illustrates the vulnerability perfectly. A company called Centurion Medical Supplies, operating from a small basement office in North Austin, Texas, submitted claims for over 78,000 items in barely a month, billing roughly $134 million. Medicare suspended payments in October 2025. The Medigap checks continued. When investigators visited the office, two employees were inside. Both had been hired through online job postings to open mail and scan documents. Neither had any idea the company was a front for a Russian-linked fraud operation. One told reporters: "I thought they were doing medical records. I just scan it in."

The money from Centurion's accounts was wired to a shell entity in Hong Kong. The company's operator, a Georgian national named Machutadze, was tracked by federal agents from his Austin apartment to mail stores and banks for weeks before he booked a flight from Mexico to the United Arab Emirates. Authorities arrested him before he could board.

This is where last week's story connects directly.

The organization didn't just need medical supply companies. It needed bank accounts. Accounts that could receive checks from Medicare and established insurance companies, giving the deposits an immediate appearance of legitimacy. To get those accounts, they needed insiders.

Renat Abramov, the Bank of America relationship manager we covered in Part I, was one of those insiders. Operating from the Sheepshead Bay branch in Brooklyn, Abramov opened accounts for at least six fake medical equipment companies between 2021 and 2023. He bypassed know-your-customer (KYC) protocols, ignored nonresident alien status on signature cards, and opened accounts for foreign nationals who couldn't produce valid U.S. residency documentation. When other banks rejected the TCO's account applications, the organization steered its operatives specifically to Abramov's branch.

Investigators documented approximately 1,640 phone contacts between Abramov and one co-conspirator over the relevant period. Communication was coordinated through Telegram. When authorities discovered Abramov had booked a one-way flight from New York to Moscow without requesting leave from his employer, they arrested him, likely at JFK.

Once the accounts were open, the pattern repeated: large Medicare deposits flowed in, showed zero business expenses for actually purchasing or shipping medical supplies, then moved rapidly offshore. One account alone wired more than $865,000 to a Hong Kong trading company in a two-month span. From there, proceeds scattered to shell company accounts across China, Singapore, Pakistan, Israel, and Turkey, with cryptocurrency used to further obscure the trail.

Abramov pled guilty on February 3, 2026 to conspiracy to commit money laundering. It was the first time the DOJ's Health Care Fraud Unit had ever charged and convicted a bank employee for laundering healthcare fraud proceeds. He faces up to 20 years. Sentencing is set for April 20.

Operation Gold Rush wasn't a one-time score. It was a self-sustaining enterprise with built-in redundancy. When law enforcement shut down one company, the organization had already acquired replacements. When one nominee owner was compromised, new recruits were deployed from overseas. The entire digital infrastructure ran through virtual private servers that masked physical locations, concealed IP addresses, and allowed the operation to scale internationally while appearing domestic.

The 11 core defendants charged in the Eastern District of New York include individuals based in Russia and Estonia. Four were arrested in Estonia in June 2025, and the U.S. is seeking extradition. Seven remain at large.

And the operation has already spawned copycats. In a related Illinois case, five defendants used AI-generated fake audio recordings to mimic Medicare beneficiaries consenting to receive medical products. They submitted $703 million in fraudulent claims. Medicare and Medicare Advantage plans paid approximately $418 million before the scheme was detected.

Read that again. Criminals are now using artificial intelligence to fabricate the voice recordings that serve as patient consent documentation. The fraud isn't just scaling. It's automating.

If you're a Medicare beneficiary or have family members on Medicare:

Review every Medicare Summary Notice that arrives. If you see charges for medical equipment you never ordered, especially catheters, glucose monitors, or other durable medical equipment, report it immediately to 1-800-MEDICARE and the HHS OIG hotline. Your identity may already be compromised in one of these schemes. Over 400,000 beneficiaries filed complaints related to Operation Gold Rush alone.

If you work in banking or financial compliance:

The Abramov case is now the precedent. DOJ has established that bank employees who facilitate healthcare fraud money laundering will be personally prosecuted. Review your institution's processes for medical supply company account openings. The red flags are specific and documented: foreign national signatories without valid residency, accounts receiving large Medicare deposits with no corresponding business expenses, rapid offshore wire transfers, and companies with no online presence or verifiable operations.

If you work in insurance or claims processing:

The Medigap vulnerability is the single biggest structural weakness exposed by this case. $900 million walked out the door because supplemental insurers continued paying claims that Medicare had already flagged as fraudulent. If your organization processes supplemental claims, push for real-time integration with CMS suspension data. The contractual obligation to pay should not override fraud intelligence.

Operation Gold Rush reveals what healthcare fraud looks like when it's run by professionals, not opportunists. This wasn't a rogue doctor overbilling or a single clinic padding claims. This was an intelligence operation: compartmentalized cells, encrypted communications, disposable personnel, redundant infrastructure, and an extraction strategy that exploited a systemic vulnerability nobody had bothered to fix.

The organization submitted $10.6 billion in claims. CMS caught most of it. But $941 million still made it out. Law enforcement has recovered $27.7 million. That's a 97% loss rate on seized funds.

The criminals who built this machine understood American healthcare infrastructure better than most of the institutions tasked with protecting it.

Watch the hands, not the face.

Here's a number for you: $20.9 billion.

That's the estimated consumer loss from identity theft tied to just four data broker breaches over the last decade, according to a report released last Friday by the Joint Economic Committee. Not four hundred breaches. Not forty. Four.

Equifax in 2017, impacting 147 million. Exactis in 2018, impacting 230 million. National Public Data in 2023, impacting 270 million. TransUnion in 2025, impacting 4.4 million. Congressional staff applied estimates of post-breach identity theft rates and a median loss of $200 per victim to arrive at the figure. Senator Maggie Hassan, the JEC's ranking member, launched the investigation last July as part of a broader inquiry into financial scams.

The timing is interesting. Not because the findings are new. Because they aren't.

I first testified before Congress on this exact problem in 2022. The structural vulnerability of data brokers, the lack of buyer vetting, the way compromised personal data poisons every identity verification system downstream. The numbers were shocking then, too. They made it through one news cycle. Then everyone went back to arguing about something else.

Four years later, the numbers are bigger, the breaches are worse, and the industry's response is to promise they'll make it slightly easier for you to opt out of databases you never opted into.

To understand how absurd the $20.9 billion figure is as a measure of actual damage, consider this: the 2025 Verizon Data Breach Investigations Report, the industry's most comprehensive annual accounting, analyzed 22,052 security incidents in a single twelve-month window ending October 2024. Of those, 12,195 were confirmed data breaches. The highest number ever recorded in one report. In one year. Congress measured losses from four breaches over an entire decade. The $20.9 billion isn't the true cost of the data broker crisis. It's the cost of the four breaches that were big enough and public enough that congressional staffers could build a model around them. The actual loss figure, if anyone ever tried to calculate it honestly, would make $21 billion look like a service fee.

That opt-out detail deserves your attention. CalMatters, The Markup, and WIRED found last August that dozens of data brokers were using a simple "no-index" tag to hide their legally mandated opt-out pages from search engines. California law requires these companies to provide a way for consumers to request data deletion. The brokers built the pages. Then they buried code that told Google not to show them in search results.

Think about what that means. The state said: give people a door out. The industry said: fine. Then they made the door invisible.

Thirty-five data broker sites were caught doing this. Consumer advocates called it a dark pattern that undermines privacy rights. When reporters started calling, most companies suddenly fixed the problem. Hassan's office contacted five of the largest offenders directly. Four cooperated. One, a company called Findem, declined to engage at all.

But the opt-out sabotage is the sideshow. The real damage is structural, and it's already done.

Consider National Public Data. A background check company run out of Florida by a sole operator named Salvatore Verini. His company's stolen database contained about 270 million Social Security numbers. A hacker going by "USDoD" posted the data on the dark web in April 2024, offering it for $3.5 million. Names, dates of birth, addresses, phone numbers, Social Security numbers. The complete identity kit for the majority of living American adults.

Verini valued the stolen database at $1 million in bankruptcy filings. The company had fewer than $75,000 in total assets. A company with the net worth of a used Honda Civic was sitting on the identity infrastructure of the entire country, protected by security so thin that researchers found the data on publicly accessible servers.

National Public Data filed for Chapter 11 bankruptcy in October 2024, facing lawsuits from attorneys general in more than 20 states and a Federal Trade Commission investigation. By December 2024, it shut down entirely. By mid-2025, the domain came back to life under new ownership.

The data, of course, never came back. It's still circulating on criminal forums. It will circulate forever.

Here's what the congressional report won't tell you, because it would indict the entire system: the data these brokers lost is the same data that banks, insurers, employers, landlords, and government agencies use to verify your identity.

When a lender runs a background check on you, where do you think that data comes from? When an employer verifies your Social Security number, whose database do you think they're pinging? When a fraud detection system compares your application against "known good" data to decide if you're really you, that reference data was harvested, aggregated, and stored by the same industry that just demonstrated it cannot protect it.

This is the poisoned well problem. Every identity verification system built on top of data broker infrastructure is now operating on compromised foundations. The criminals don't need to hack the bank. They already have the answers to every security question the bank will ever ask. Your mother's maiden name. Your previous addresses. The last four of your Social. All of it was in those breaches. All of it is for sale.

And nobody is vetting who buys this data in the first place. The JEC report itself notes that brokers can enable scams by making personal information available to bad actors, and that in some cases, brokers have allegedly sold information directly to scammers. The same industry claiming to help you verify identities is selling the raw material that makes identity theft possible.

Congress is now considering the SAFE Act, a bipartisan bill from Senators Durbin and Lee that would close the "data broker loophole" allowing intelligence and law enforcement agencies to purchase Americans' sensitive information without a warrant. That's a real problem worth solving. But it addresses the government as buyer, not the criminal as buyer.

There is no federal law in the United States that adequately regulates the data broker industry. California has its opt-out requirements. Montana recently became the first state to close the law enforcement data broker loophole. But there is nothing, anywhere, that prevents a data broker from collecting 400 data points on every American adult and storing them on a server with the security posture of a public library Wi-Fi network.

The $20.9 billion figure sounds enormous. It's a rounding error. It captures only the direct losses from four specific breaches, using a conservative median loss estimate. It doesn't account for the cascading fraud enabled by poisoned verification systems, the synthetic identities built on stolen data, or the long tail of exploitation that continues for years after every breach.

The Fraudfather Bottom Line

I said this in a congressional hearing room in 2022, and I'll say it here: the data broker industry has built a surveillance infrastructure that would make any intelligence agency jealous, protected it with the security budget of a lemonade stand, and sold access to anyone with a credit card and a mailing address.

The $21 billion number will make headlines for 48 hours. A senator will give a stern quote. A broker will promise to do better. Nothing structural will change, because the people who profit from this system are not the people who pay when it fails.

You pay. Every Single time.

This is Part I. Next week, we go deeper into the poisoned verification pipeline, how breached data doesn't just enable theft, it makes the systems designed to stop theft fundamentally unreliable.