Following a detailed account of how scam artists can easily gain access to health care cash, six Democratic senators this week sent a letter to federal regulators urging them to “close loopholes” that allow “bad actors” to commit fraud.

The letter came in response to a recent story by ProPublica and Vox that traced the brazen scam of a Texas personal trainer, who despite having no medical credentials was able to submit a blizzard of fake bills with some of the biggest insurance companies in the country and recoup millions. The story revealed not only how David Williams exploited weaknesses at each step, but also that the insurers were extremely slow in responding to his ongoing fraud.

Williams’s con, for which he was later prosecuted, was initially enabled by the Centers for Medicare and Medicaid Services. The federal agency issues and administers National Provider Identifiers, or NPIs, the unique numbers medical providers need to bill insurance plans. ProPublica found that Medicare doesn’t check the credentials of medical providers who apply for NPI numbers, such as whether they have valid licenses, which means scammers can lie to obtain them. Williams obtained at least 20 NPI numbers and used them to bill insurers.

The insurers he scammed — Aetna, Cigna, and UnitedHealthcare — then allowed his fraud to proceed for years, largely unchecked. The companies also failed to verify that Williams was a licensed physician, even as he billed them for complex, and expensive, office visits as an out-of-network provider. Instead, they paid him more than $4 million over four years, despite alerts from his ex-wife and her dad about his scam. Williams was convicted on four counts of health care fraud in 2018 and sentenced to about nine years in federal prison. The insurers declined to comment on his fraud.

Related What can be done right now to stop a basic source of health care fraud

Current and former investigators for health insurers and federal prosecutors said the simplicity of Williams’s scam, combined with weak oversight and enforcement, raises questions about what’s being done to combat rampant health care fraud. Experts estimate that fraud consumes about 10 percent of the country’s $3.5 trillion health care tab — although the story found that large swaths of fraud are not being tracked. Those losses are eventually passed on to the public in the form of higher monthly premiums and out-of-pocket costs as well as reduced benefits.

In their letter, the senators asked the leaders of the Department of Health and Human Services and its Medicare division to detail what they’re doing to fix gaps in the system that allow fraud to flourish, including what measures Medicare has taken to strengthen the requirements for obtaining an NPI number. “Commercial health plans and their enrollees depend on the validity of federal provider identification systems in order to ensure that patients’ dollars are well spent,” the senators wrote.

In a separate email, Sen. Catherine Cortez Masto of Nevada, who spearheaded the response, said ProPublica’s reporting “highlighted an area where the government could be stemming fraud but isn’t.”

She and her colleagues, she said, “want to know how CMS is using its authority to safeguard against health care scams like the one David Williams carried out for years.”

And she noted that if the senators “find that the agency can be doing more, then we will look to arm CMS with the tools it needs to protect patients and taxpayers, or hold them accountable for the failure to use tools already at their disposal.”

A spokesperson for Medicare said the agency would not comment on the senators’ letter but would be responding to it. The agency has previously said that federal regulations don’t allow it to verify the licenses of NPI applicants. In their letter, the lawmakers said they would work with the regulators to identify any authority Medicare needs to address the security gaps.

In an email sent to ProPublica after the Williams story was published, Medicare officials quibbled with the story’s description of the NPI as “essentially the key that unlocks access to health care dollars.” A Medicare spokesperson said the phrase overstated the NPI’s significance because the identifier doesn’t guarantee payment or enrollment in a health plan or that the provider is licensed.

But Medicare’s own literature says medical providers and plans “must use NPIs” in their financial transactions. Any claim submitted for payment is required to include a valid NPI.

Medicare also asserted that providers must enroll with a health insurance plan to get paid. That’s true for Medicare, which covers people who are disabled or over age 65. But it’s often not the case with private insurers. The Williams story showed how “out of network” providers — those who are not part of a private insurer’s network — can still get paid.

Joe Christensen, who spent five years as a director in Aetna’s Special Investigations Unit and 13 years as director of Utah’s insurance fraud division, said health plans typically pay out-of-network claims without checking the providers’ credentials. He said that makes the integrity of NPIs essential. “Anybody with an NPI can bill,” Christensen said. Others experts told ProPublica the same thing.

Out-of-network billing is common with private insurance plans. A JAMA Internal Medicine study published this week showed that about 42 percent of privately insured patients at in-network hospitals got out-of-network bills in 2016. If providers’ licenses are not verified when they obtain an NPI, or when they submit an out-of-network bill to a commercial insurer, it creates a massive opportunity for scammers.

The Williams story also detailed the sluggish response of insurers to clear evidence of fraud. Williams’s ex-wife, Amy Lankford, and her father, Jim Pratte, discovered the fraud by happenstance and reported it to regulators and the insurers for years. Even after the insurers had ascertained that Williams was not a doctor, they continued to process his bills and pay him because he used new NPIs.

In their letter, the senators also asked what Medicare could do to hold insurance companies accountable for their response to fraud.

On Tuesday, Pratte said the senators’ letter gave him hope. “It’s totally ridiculous,” he said. “Common sense would say you have to have some kind of credentials verified before an NPI can be issued.”

Verifying NPI applicants’ credentials “would be a simple and significant step in addressing those issues,” Pratte said.

The letter was signed by Sens. Cortez Masto, Sheldon Whitehouse of Rhode Island, Maggie Hassan of New Hampshire, Tammy Duckworth of Illinois, Michael Bennet of Colorado, and Bob Menendez of New Jersey. The senators requested a response, in writing, by September 9.

Have you worked in health insurance or employer-sponsored health benefits? ProPublica is investigating the industry and wants to hear from you. Please complete this brief questionnaire.