John Mininno slaps two pieces of paper onto an overhead projector. “Look at this,” he says. “You see how one form is a photocopy of the other—with just the date changed? It’s exactly the same paper!” The printouts are mere insurance forms, but Mininno is genuinely pissed off about them. “They’re allowed to bill for that procedure again six months after they first provide it. That date is six months to the day!”

Not everyone can get this worked up about insurance forms. But to Mininno, these are a combination of smoking gun and a slap in the face. Together they clearly show that someone is ripping off Medicare. But perhaps what’s worse is that someone is being really lazy about it.

If Willie Sutton had to choose a criminal career today, he’d be ripping off Medicare too. As the bank robber supposedly said: That’s where the money is. The program spends more than $600 billion a year on health care for 54 million people, most of them seniors. It is a massive pool of underguarded funds ripe for skimming. By the government’s own accounting, fraudsters scammed $60 billion from Medicare in 2014, and the losses are growing. Since 2007 more than 2,300 health care providers have been charged with fleecing Medicare, and more than 1,800 defendants have been convicted of felony offenses, ranging from claiming phantom services to performing unnecessary surgeries.

Finding a whistle-blower requires a nose for mischief, a gift for persuasion, and the technical chops to identify patterns in thickets of diagnostic codes and billing data.

Scams are run so often, by so many people, that dedicated government investigators can’t keep up: In 2014 prosecutions initiated by the government led to a mere 31 settlements yielding $88 million in fines. Luckily, there is another defense against Medicare fraud: whistle-blower lawsuits. Under the federal government’s false claims statute, any insider can sue a company that’s providing fraudulent services, on the government’s behalf. If the whistle-blower lawyers are successful, the plaintiffs collect 15 to 30 percent of the settlement as a bounty. In 2014 there were 469 of these health care fraud settlements—many involving huge pharmaceutical corporations and hospital networks—resulting in $2.2 billion in fines.

The problem is that even with this financial incentive, whistle-blowers can be skittish about coming forward and often are ill-prepared to present solid evidence. “When a whistle-blower goes to the government by himself,” says Patrick Burns, an antifraud activist in Washington, DC, “the whistle-blower is disorganized. They’re hot, and they don’t stick to just the facts. He’s pissed off because he was fired, and when angry people call you up, you just assume, ‘Crazy loser, you’re a nut job.’”

Professional whistle-blower lawyers are much better at arguing a convincing case. But lawyers aren’t always the best investigators. Sometimes finding an insider requires a nose for mischief, a gift for persuasion, and the technical chops to identify nonobvious patterns in impenetrable thickets of diagnostic codes and billing data. Sometimes it takes a bounty hunter. Someone like John Mininno.

A broad-shouldered former college linebacker who speaks in the blue-collar brogue of central New Jersey, Mininno is an unlikely big-data entrepreneur. After working his way through law school, he spent 18 years representing victims of medical negligence. What he saw made him angry. “I had a wrongful death case, a woman who went into a nursing home for rehab on a hip fracture,” he says. While under the facility’s care, the woman suffered a host of injuries, from a fractured tibia and ankle to severe pressure sores. Mininno argued in court that her death was preventable, had anyone simply repositioned her from time to time. “They put her in a room, they billed her insurance, and they didn’t pay attention to her. It became clear to me that these were large corporations trying to monetize people’s insurance. It’s disgusting.”

Over the years, Mininno developed a reputation as a lawyer who knew how to find evidence of fraud in billing patterns, and in 2011 he was approached by a financier who needed help vetting some investments in health care companies. Were these companies really profitable, or were they padding their financials with fake Medicare billings? He asked Mininno to shine a light and see if any cockroaches scurried out of those company records.

Around this time, a mountain of information on health care providers was becoming publicly available. In response to a Freedom of Information Act verdict, the Centers for Medicare and Medicaid Services (CMS) released data on tens of thousands of medical practices. It was a detailed catalog of all the procedures those practices provide to seniors and what they’re paid to provide them. At the same time, various citizen journalists and data scientists were using Freedom of Information Act requests to get CMS data on physician referrals, which they assembled into a map of doctors who refer patients to each other—a network with 50 million connections—and the prescribing patterns of those doctors.

As a lawyer, Mininno looked at this trove and thought, “This is a massive business opportunity.” Whistle-blower law firms have to advertise, because they need informants to come out of the woodwork. Then they need to qualify those sources—do they have enough evidence? Then they have to figure out whether the scale of the fraud (and thus the likely payout) justifies the work they’ll have to plow into it, because they don’t get paid unless they win. This is time-consuming and expensive.

From his days as a lawyer and his work looking through company medical records, Mininno knew what kind of footprints to look for in the data: what the scams are and how those scams are coded up for reimbursement. Without this knowledge, algorithms will churn up thousands of false positives. For example, you can’t look at just medical practices that administer high volumes of pricey medications—there are doctors who legitimately administer extremely expensive injectable drugs, like chemotherapy, in their offices. There are clinics in areas where patients are sicker, and therefore more expensive to care for, than the general population. In other words, there are plenty of legitimate reasons for outliers to be outliers.

People skip doctor visits during heavy snowstorms, so insurance claims should drop in bad weather.

Fraudsters aren’t necessarily the biggest billers—it’s a bit of a myth that fraud lives at the end of a bell curve. But they do have some distinctive ways of doing business, if you know what to look for. Mininno realized he could build a business around using data to find certain patterns, identify likely informants (usually former employees), and turn them into false-claims plaintiffs. He didn’t have to wait for whistle-blowers to walk through his door—or advertise like the big whistle-blower law firms. He could use analytics to troll for sketchy providers and insiders, transforming that rare, long-odds game into a quantitative, target-rich discovery process with gumshoe work on the back end. Mininno pitched the idea to his Wall Street client, who became his angel investor. The National Healthcare Analysis Group was born.

If you’re hunting for a big-game trophy, the first thing you’ve got to do is eliminate the targets that have already been tagged—only the first plaintiff to file gets a payout. So Mininno designed a system for combing through SEC filings to eliminate health care organizations that were already being investigated.

To identify potential informants, his developers assembled a database of 70,000 health care workers and their employment histories, scraped and extracted from publicly available sources. The ideal informants are well-qualified nurses who worked for a suspicious clinic, but only for a few months, then immediately got another job. They were obviously good employees, but something they saw on the job likely made them leave. Mininno cold-calls them. “For the most part,” he says, “people are open and honest and want to tell their story.”

To wrangle Medicare billing data, he became the first paying customer of a Portland, Oregon, startup called Carevoyance, which had cross-linked dozens of databases to identify referral networks. If a practice has been investigated, it’s worth knowing who sends them patients, or vice versa.

5 Red Flags That Signal Fraud —————————–

Medical offices and health care companies may look normal in a database, but apply a sufficient dose of statistical analysis and the fraudulent operations reveal themselves. The algorithms look for certain signals.

1. Lack of randomness

When claims are filed with metronomic precision—if every patient gets billed for a follow-up procedure on the very day that procedure becomes billable, or if there’s no dip (or spike) in patient visits on snow days or holidays—that indicates a problem.

2. No patient ever gets better

When patients get released from the hospital, they might receive follow-up visits at home from nurses. Some patients should need fewer visits than others, of course, so if every case is dire and requires the maximum allowable visits, it’s worth looking into.

3. Bunchy billables

The number of procedures that a patient population really needs should have a bell curve distribution. But if an analysis of the billing shows a bunchy distribution—with leaps in frequency clustered around thresholds for more payment—that suggests treatments are being given to maximize revenue.

4. Running with a bad crowd

Practices aren’t necessarily guilty by association. But as in social networks, similar types tend to associate with one another. If a provider is enmeshed in business relationships with practices that have been investigated for fraud, it might not be squeaky-clean, either.

5. Self-interested referrals

Whether it’s a huge pharmaceutical company like Valeant (recently investigated for using a captive pharmacy to steer prescriptions) or a physician-owned radiology lab that gets most of its referrals from its owners, conflicts of interest in health care abound. Another, related dodge: physicians who refer patients to a practice where they don’t provide services but are paid as “medical directors.” That runs afoul of antikickback statutes.

To catch a crook, it helps to think like a crook. And crooks cut corners. Sometimes, they’re too cheap to resolve contradictions between their Medicare claims and what they tell state tax authorities. So when Mininno sees a practice where, according to Medicare records, nurses never miss a day’s work, he pulls unemployment claims. Because when aides are laid off, they file for unemployment. But their bosses, who’ve been billing for the services of these never-absent, superproductive health workers, try to duck unemployment claims by asserting they were fired for not showing up for work. The billing data, which shows indefatigable employees, and the employers’ claim that these same nurses were absent and unproductive can’t both be right. Such a practice is a likely candidate for investigation. There are ways, Mininno says, to “poke holes in the perfect paperwork and the perfect data.”

But data, algorithms, and geeks weren’t enough. To get his venture going, Mininno needed his first insider, one willing to put their lips on the whistle and blow. Then he had a lucky break. A source from his days working for that Wall Street investor called and said: “There’s a gentleman who’s been sharing some stories with me. You might want to talk with him.”

Mininno walked through the double glass doors of a Midwestern diner. He was meeting Alex, the nurse his source had hooked him up with. The guy was built like a refrigerator. He hadn’t shaved in days, and he was hungry for pancakes.

“You must be John,” he said. Mininno nodded. They followed the hostess back to a table where they sipped coffee and made small talk. As Alex demolished an extratall stack of blueberry pancakes with powdered sugar, Mininno described his company’s mission: Nail the bad guys and compensate people who step forward with the evidence to make that happen.

A weight seemed to lift from the informant’s mind. He’d been working at a home health clinic that sent nurses to help people after they’d been released from the hospital, and the clinic was essentially stealing money from the government, he said. He knew what he’d seen was wrong. But he hadn’t known there was anything he could do to stop it. And now Mininno was offering a share of the settlement if he could help prove the company had engaged in fraud.

“I’m in,” Alex said. (Some names and identifying details in this story have been changed.) Over the next three hours, he laid out the machinations of a Medicare profit mill: Nurses were instructed to skip patient assessments and provide services whether seniors needed them or not. Patients who needed more visits didn’t get them, because repeat visits lowered profitability. The practice plied retirees with free trips to casinos and paid doctors kickbacks for referrals.

“Dirtbags,” Mininno thought. “This is incredible. But I need the nuts and bolts.” Was there anyone else with access to records that could prove this? “The IT guy,” Alex replied. “He lives in Atlantic City. He runs all the computers.”

WIRED

A few weeks later, Mininno shuffled into a casino. He stood in the doorway as poker players stared at their cards. He had no idea which one to look for. Then, from the table closest to the door, a sharp set of eyes in a sharp-featured face looked straight at him. It was his guy, a computer programmer named Oscar. He was conspicuously alert, intelligent, the kind of guy who thinks a hundred miles a minute and doesn’t need much sleep. At night, he played poker. By day, he ran the IT infrastructure for Alex’s erstwhile employer, which had mushroomed into a multimillion-dollar operation.

Over steaks, Mininno gave his pitch some torque. “Listen,” he said, “if I’m here talking to you about your employer—if our little company can find this—it’s only a matter of time before someone goes to the authorities.” There were two options: Help the investigation before the company was busted and collect a slice of the settlement, or be interrogated later as the head geek of a fraudulent organization.

“I need some time to think about this,” the programmer said.

“Take all the time you need.”

A month later Mininno got a data file from Oscar. The numbers showed systematic gaming of Medicare reimbursement rules. One part of the scheme allegedly worked like this: Medicare pays a provider based on the number of visits to a patient’s house in a 60-day period. If the provider makes up to nine visits, it gets reimbursed $2,200. For 10 visits or more, the provider gets an additional $2,200, because the case is assumed to be more severe and complex. A chart of visits per patient in 2007 showed that five times as many patients were getting 10 visits than were getting nine visits. When Medicare changed its rules in 2008 to set payment thresholds at six, 14, and 20 visits, the frequency distribution shifted dramatically to maximize revenue at the new thresholds. Jacking up the number of visits just to get over those thresholds is fraud, because the only legal basis for Medicare reimbursement is medical necessity—not profit maximization.

Meanwhile, Mininno was using the employment database to find nurses who could confirm they’d been instructed to visit each patient once a week, regardless of whether the patient needed those visits (or required more frequent visits). Ultimately, Mininno worked with a law firm, which filed a false-claims lawsuit against the company in the spring of 2012. The Department of Justice reviews such cases and triages through them, looking for cases with merit. After two years of bureaucratic review, a Department of Justice task force pulled a warrant for a raid in 2014, and the case is now grinding through the settlement process. Since 2012, Mininno and the lawyers he works with have filed around 40 lawsuits, which means more raids, prosecutions, and settlements are likely in the coming months and years.

Back at his office in a rented Victorian in New Jersey, Mininno is talking about snow days. His practice is expanding (he’s currently searching for a data scientist with a public health background), and he’s looking into potential new cases. His staff also includes a part-time private investigator, and he has software developers and statisticians on contract. One of the latter, Brandon Cosley, has written a query for Medicare claims during weather emergencies.

On snow days, people usually reschedule nonemergency appointments. They stay in bed instead of driving to the doctor. Emergency rooms will see an uptick in visits because of car accidents and cardiac events triggered by snow shoveling, while regular doctors’ offices will see a drop. But providers filing for phantom services make the same number of claims in the middle of Snowpocalypse as they do the day before and the week after. They bill as if the day was totally normal, even if it was not a normal day at all. If there’s a hallmark of fraud, it’s a lack of variability—the missing randomness of people and their bodies and behaviors. Fraud is algorithmic and invariable because it’s optimizing revenue, not meeting human needs.

This is the kind of thinking—a sense for where billing patterns don’t match the practice of medicine—that can differentiate legitimate providers from billing mills that are ripping off Medicare and, by extension, taxpayers. It’s a marriage of convenience between the government and the bounty hunters, explains Patrick O’Connell, who headed up the Texas Medicaid fraud division from 1999 to 2007, before becoming a whistle-blower attorney. “The government has a tendency to not like whistle-blowers who are just in it for the money. They prefer someone pure,” he says. But in reality the government can’t afford pure. It doesn’t have enough lawyers to take on the teams of $1,000-an-hour attorneys that big health care operations tend to hire. These lawsuits, he says, are “the greatest outsourcing program in American history.”

A gigantic government operation is always going to be an appetizing target for skimmers, rule benders, and straight-up crooks. Data science is part of the answer. Lawyers are still necessary. But to extract the dirt from the data, you need to understand how human beings might be tempted to manipulate the truth—and where they fail to cover their tracks. There is no app for that.

J. C. Herz (@jcherz) is the author of Learning to Breathe Fire.

This article appears in the March 2016 issue.