Phishing Requests

Brittany Gonzalez
07-23-2025
Blog

What You Need to Know

CMS recently announced a fraud scheme that is targeting Medicare providers and suppliers. The scammers are impersonating CMS and falsely claiming to be part of a Medicare audit. More specifically, they are requesting medical records or payment of alleged Medicare debts via fax or email. Unless specifically requested by the provider, legitimate requests for medical records are typically sent via mail or courier services, and Medicare overpayment collections are handled through an established process with your Medicare Administrative Contractor (MAC). CMS does not request overpayments or initiate audits by requesting medical records via fax or email.

Valid medical record requests come from a defined Medical Review Contractor and include the beneficiary’s name along with relevant details such as date of service, claim number, and/or items billed. Some auditing contractors may use the CMS logo on their cover sheet or letterhead, but they will also include their company name and/or logo. Here is a list of the current DMEPOS Medical Review Contractors:

  • DME Medicare Administrative Contractor (DME MAC)

-Noridian: Jurisdictions A and D 

-CGS: Jurisdictions B and C

  • Supplemental Medical Review Contractor (SMRC)

-Noridian

  • Comprehensive Error Rate Testing (CERT)

-NCI Information Systems: CERT Review Contractor

-The Lewin Group: CERT Statistical Contractor

  • Recovery Audit Contractor (RAC)

-Performant: Previous DME RAC

-Cotiviti: New DME RAC

  • Unified Program Integrity Contractor (UPIC)

-CoventBridge Group: Midwestern region 

-Qlarant: Western and Southwestern regions 

-Safeguard Services: Northeastern and Southeastern regions

  • Office of Inspector General (OIG)

-U.S. Department of Health & Human Services (HHS)

What This Means for You

If you receive a medical records or overpayment request via fax or email, don't respond. Furthermore, if you receive a phone call as a follow-up to the request, it is not valid; CMS will never call to request records. All valid requests will typically be sent in the mail and include the information listed above, including the name of the auditing contractor. If you receive a suspicious medical record or overpayment request, work with either your Medical Review Contractor or your DME MAC, respectively, to determine if it is real.

Click here to read the official announcement from CMS.