Medical and government disability fraud is a documented, measurable problem, but the scale of confirmed fraud is substantially smaller than public perception suggests. The federal government provides a stack of free, authoritative public databases that investigators, journalists, and oversight advocates can use to detect patterns, verify provider credentials, and cross-reference exclusion records. Open source intelligence tools like Maltego, SpiderFoot, and the OSINT Framework can connect those public records into actionable profiles. This piece documents what those tools are, where the authoritative data lives, and how the pieces fit together for an evidence-anchored investigation.
The Scale Problem: What the Data Actually Shows
Any honest investigation into disability fraud starts with a number that is both large in absolute terms and routinely mischaracterized. The SSA Office of the Inspector General documented that from FY 2015 through FY 2022, SSA made nearly $72 billion in improper payments, most of which were overpayments. At the end of FY 2023, the uncollected overpayment balance stood at $23 billion.
Those figures are real and documented. What they are not is synonymous with fraud. The Government Accountability Office and the SSA itself have been consistent on this point: improper payments can have fraud-related causes, but not all are caused by fraud, and most detected improper payments do not involve evidence of intent to commit fraud. The SSA OIG’s own summary of FY 2024 data puts confirmed fraud in a narrower category: cases confirmed by a court, not including matters settled without admission of guilt, and not including nonfinancial fraud that does not involve payment by SSA.
Investigators who conflate improper payments with fraud are building on a false premise. Overpayments caused by beneficiaries failing to report changes in income are a systemic process failure, not necessarily criminal conduct. Anchoring investigative claims to the confirmed fraud record, rather than the broader improper payment figure, is the difference between a defensible finding and a retractable one.
In FY 2024, the SSA OIG received 332,927 reported fraud allegations. Approximately half involved false personation (26.7%) or Social Security number misuse (23.9%). Disability Insurance program allegations accounted for 15.9% of the total. Not every allegation leads to an investigation, and not every investigation leads to a prosecution. The funnel is steep, by design.
The Federal Database Stack: Free and Authoritative
Before reaching for any investigative software, investigators should understand the public database infrastructure that already exists. These are not obscure data sources. They are federal systems built to support exactly this kind of scrutiny, and they are free to access.
HHS OIG List of Excluded Individuals and Entities (LEIE)
The LEIE is the authoritative federal database of individuals and entities excluded from participation in Medicare, Medicaid, and all other federal health care programs. The HHS Office of Inspector General maintains it under sections 1128 and 1156 of the Social Security Act. Anyone who hires an individual or entity on the LEIE may be subject to civil monetary penalties.
The online searchable database allows name-based searches with SSN or EIN verification. The downloadable database, updated monthly, contains the complete active exclusions list in a format that opens in spreadsheet or database software. The downloadable version is suitable for bulk cross-referencing against provider rosters. The LEIE does not include reinstatements: once an individual is reinstated, they are removed from the list.
For investigators, the LEIE is most useful as a cross-reference tool. A provider appearing in a suspicious billing pattern who also carries an active exclusion is a documented red flag with a paper trail. The LEIE also distinguishes between mandatory exclusion (conviction-based) and permissive exclusion, which provides context for how the exclusion was generated.
CMS National Provider Identifier (NPI) Registry
Every covered health care provider in the United States is required under HIPAA to obtain a National Provider Identifier, a unique 10-digit number that functions as the standard identifier across Medicare, Medicaid, and commercial insurance transactions. CMS maintains the National Plan and Provider Enumeration System (NPPES), which is publicly searchable and downloadable.
Searchable by provider name, organization name, NPI number, taxonomy code, city, state, or ZIP. The full database is available for weekly download as a CSV file (as of June 2024, the raw file exceeds 9 gigabytes when extracted). The NPI is a cross-reference anchor: it appears in the LEIE for post-2008 exclusions, in CMS billing data, and in the DocGraph referral pattern dataset, making it a common denominator across multiple investigative data sources.
The NPI system carries a documented vulnerability worth noting. Because NPI numbers are publicly available and widely required for billing, they are a target for identity theft. CMS documented that thousands of NPI numbers are stolen annually and used for fraudulent Medicare and Medicaid billing. NPI theft means that a suspicious billing pattern associated with a specific NPI does not automatically mean the named provider committed fraud. The distinction between theft victim and perpetrator matters before any allegation is made.
CMS Medicare Billing Data by Provider
The Centers for Medicare and Medicaid Services publishes annual provider-level billing data at data.cms.gov. The Medicare Physician and Other Practitioners dataset shows, for each provider, the number of services billed, the number of distinct beneficiaries served, total charges submitted, and total payments received, aggregated by procedure code and place of service.
This is the dataset underlying the open-source Medicare fraud detection models that have been built by researchers and independent journalists. Cross-referencing a provider’s billing patterns against peers in the same specialty and geography is the foundation of anomaly detection in Medicare fraud investigation. The dataset uses the NPI as its primary key, enabling joins with LEIE exclusion data and NPPES registration records.
SAM.gov: The Federal Debarment System
The System for Award Management, administered by the General Services Administration, contains debarment actions taken by federal agencies, including exclusion actions taken by the HHS OIG. SAM covers a broader range of federal programs than the LEIE, which is limited to HHS OIG actions. Investigators working on government contract fraud or federal grant fraud should check both systems, as a provider or contractor could appear in SAM without appearing in LEIE, or vice versa.
SSA OIG Fraud Reporting and Investigation Portal
The SSA OIG maintains a public-facing fraud reporting form and hotline, and publishes quarterly scam update reports documenting complaint volume, fraud typology, and demographic impact data. These reports are documented primary sources for journalists and oversight advocates tracking SSA fraud trends. The SSA also operates the Cooperative Disability Investigations (CDI) program, a joint effort with state Disability Determination Services agencies and state and local law enforcement to review questionable disability claims.
Open Source Intelligence Tools: What They Do and How They Fit
The federal databases described above are rich in structured data, but fraud rarely exists within a single database. The value of OSINT tools is their ability to connect structured public records to the broader digital footprint of an individual or entity, surface relationships across data sources that would take weeks to cross-reference manually, and present those connections in a format investigators can reason about and document.
Open source intelligence is not simply raw public data collection. The discipline draws a sharp distinction between open source data (publicly available information) and open source intelligence (the meaningful analysis extracted from that data). OSINT is targeted, not exhaustive. Effective investigative use starts with a clear hypothesis, not a mass data sweep.
SpiderFoot
SpiderFoot is a free, open-source reconnaissance platform that automates data collection from over 100 public sources based on a single target input: a domain, email address, phone number, IP address, name, or username. It queries sources including WHOIS records, DNS data, breach databases, social media platforms, and public records, then compiles the results into a structured report that highlights connections between discovered entities.
SpiderFoot is pre-installed on Kali Linux and the Trace Labs investigative virtual machine. It requires no login or subscription for core functionality, which supports operational security. The tool includes investigation modes including “Passive” (no direct contact with the target) and “Investigate” (broader active queries). False negatives are documented: SpiderFoot’s coverage of any single data source is not guaranteed to be exhaustive, and cross-referencing results against other tools is standard practice.
For disability fraud investigation, SpiderFoot is most useful in the profile-building phase: starting with a provider’s name or NPI, mapping associated email addresses, domains, phone numbers, and social accounts, and identifying whether that digital footprint is consistent with the stated business operations. A billing address associated with a provider who has no verifiable physical presence at that address, and a social media footprint suggesting operations in a different city or state, is a pattern worth documenting and escalating.
Maltego
Maltego is an established OSINT and link analysis platform built around visual graph representations of relationships between entities. It is used by law enforcement agencies, intelligence analysts, and investigative journalists (the Bellingcat open-source investigations team is a documented Maltego user) to map connections between people, email addresses, domains, phone numbers, social media accounts, and business entities.
The Community Edition is free with a limited number of transforms (queries to data sources). Professional versions start at $999 per year. Maltego’s “transforms” are the engine of its investigation capability: starting with one entity (an email, a name, a domain), transforms query connected data sources and surface relationships. For fraud investigation, the OpenCorporates and WhoisXML integrations support analysis of business registration records and domain ownership history. Maltego maintains chain-of-custody documentation features designed for evidentiary use.
In Medicare and Medicaid fraud contexts, Maltego’s link analysis is particularly relevant for schemes involving shell companies, multiple billing entities sharing a phone number or banking account, and referral networks. A provider billed under one NPI who shares an address with three other entities, all registered to the same phone number, is the kind of structural relationship Maltego surfaces in minutes that manual cross-referencing would take days to document.
The OSINT Framework
The OSINT Framework (osintframework.com) is not an investigation tool itself but a categorized, maintained directory of free OSINT resources organized by investigation type: people search, username lookups, public records, business registrations, geolocation, social media, and more. For investigators building a workflow, the OSINT Framework is a structured map of available free data sources rather than a platform that automates collection.
Recon-ng
Recon-ng is a free, open-source web reconnaissance framework with a modular architecture similar to Metasploit. It allows investigators to build custom collection workflows by combining modules that query specific data sources. Recon-ng supports integration with external APIs, enabling targeted queries to public records databases, breach data repositories, and domain registration systems. Its command-line interface requires more technical familiarity than SpiderFoot’s web-based dashboard, making it better suited to investigators with some scripting background.
Social Media Monitoring and Platform-Level Investigation
Social media platforms are documented open sources. The SSA OIG confirms in its quarterly scam reports that the agency monitors social media platforms for fraudulent accounts and has obtained the removal of such accounts. For investigators, the relevant question is not whether monitoring public social media is appropriate (it is) but how to document it in a way that holds evidentiary weight.
Screenshots alone are insufficient for evidentiary documentation. Investigators should use tools like Hunchly (a paid browser extension designed for investigators) or the free archive tool at archive.org/save to create timestamped, preserved copies of publicly available social media posts, business listings, and profiles. Preservation matters because targets can delete content. A screenshot without a URL and timestamp is difficult to authenticate.
A Field Example: When the Record Doesn’t Match the Reality
Last year, I worked on a disability fraud investigation involving an individual whose reported limitations did not appear to align with observed activity. The case started the way many do: not with a database hit, but with a pattern that didn’t hold.
Initial information suggested the individual was receiving disability benefits tied to physical limitations that would restrict sustained labor. At the same time, multiple independent observations placed that same individual on active demolition sites performing physically demanding work.
When Investigations Go Wrong — And How to Keep Them Grounded in Reality
Not every investigation that looks strong on the surface holds up under scrutiny. In fact, a significant number of fraud allegations collapse because the underlying analysis overreaches the available evidence. The gap between suspicion and proof is where most investigative failures occur.
False accusations often begin with a real anomaly that is misinterpreted as intentional fraud. A billing outlier, a social media post, or a database inconsistency becomes a conclusion instead of a question.
Where Investigations Break Down
Outliers in billing data or behavior are treated as evidence of fraud rather than signals requiring further validation. High volume billing, for example, may reflect specialization, group billing structures, or data aggregation artifacts.
Investigators rely on isolated data points without understanding the underlying system. Disability cases, in particular, involve conditions that are episodic, variable, or invisible. A single social media post cannot override a documented medical record.
Shared names, stolen NPIs, reused addresses, and outdated records can produce false matches. Without rigorous identity verification, investigators risk attributing activity to the wrong individual or entity.
OSINT tools surface patterns, not proof. Declaring fraud without access to subpoena-level records or agency findings exceeds the evidentiary limits of open-source investigation.
How to Keep an Investigation Accurate and Defensible
Document anomalies as signals, not findings. Use language that reflects uncertainty: “inconsistent with peer baseline,” “requires verification,” or “pattern suggests further review.”
No single database or tool is authoritative on its own. A defensible investigation requires corroboration across multiple independent systems: LEIE, NPI, CMS billing data, business registries, and archived web content.
Match on more than a name. Use multiple identifiers such as NPI, address history, licensing data, and organizational ties to confirm that records refer to the same entity.
Every claim should be backed by a preserved source: archived URL, timestamp, and database reference. If it cannot be reproduced, it cannot be defended.
The role of an investigator without subpoena power is to document patterns and refer them. The role of determining fraud belongs to agencies and courts. Staying inside that boundary protects both the investigation and the investigator.
The strongest investigations are not the ones that make the boldest claims. They are the ones that hold up when challenged. Precision, restraint, and documentation are what separate a credible investigation from a retractable one.
Demolition work is not ambiguous. It involves lifting, repetitive motion, balance, and sustained exertion. The observed activity, if accurately attributed, appeared inconsistent with the reported limitations forming the basis of the disability claim.
That tension between reported condition and observed behavior created a legitimate investigative question. It did not create a conclusion.
How the Investigation Was Handled
The investigation focused on documentation, not accusation. Every step was structured to answer a single question: Does the available evidence support a referral for further review?
Before any analysis, the identity of the individual was verified across multiple data points to ensure that observed activity was correctly attributed and not the result of name duplication or mistaken identity.
Observed activity was documented over time rather than relying on a single instance. The goal was to establish whether the activity represented a sustained pattern or an isolated event.
Disability conditions can be episodic or variable. The investigation avoided assuming that observed capability at one point in time invalidated the underlying medical condition.
All publicly available observations were preserved with timestamps and source references. No reliance was placed on memory, screenshots without context, or undocumented claims.
Even when a pattern appears obvious, the job of an investigator is not to prove fraud. It is to document inconsistencies clearly enough that an agency with legal authority can evaluate them against medical records, earnings data, and program rules.
Cases like this sit exactly at the edge of where investigations can go wrong. Without discipline, they turn into assumptions. With discipline, they become structured, defensible referrals.
The Cooperative Disability Investigations Program
The CDI program is the federal government’s primary structured mechanism for investigating questionable disability claims before benefits are paid. It is a documented joint effort involving the SSA OIG, state Disability Determination Services agencies, and state and local law enforcement. In fiscal year 2020, the CDI program contributed approximately $267.8 million in estimated savings to SSA’s disability programs, according to documented program data.
For outside investigators, the CDI program is relevant primarily as a referral destination. CDI units are distributed across states. When an investigator develops documented evidence of a potentially fraudulent disability claim, referring that evidence to the relevant state CDI unit, alongside an SSA OIG hotline report, creates a formal evidentiary record.
Medicare and Medicaid: The Provider-Side Fraud Architecture
On the healthcare program side, the fraud architecture is primarily provider-facing rather than beneficiary-facing. Documented schemes include billing for services not rendered (phantom billing), upcoding (billing for a higher level of service than provided), unbundling procedures to maximize reimbursement, and kickback schemes involving referral payments. The federal False Claims Act is the primary civil enforcement mechanism: in 2020 alone, $2.2 billion was recovered under the False Claims Act, with $1.8 billion from the healthcare industry, according to a peer-reviewed data analysis published in a 2022 PMC study on healthcare fraud detection methods.
Because CMS publishes annual Medicare billing data by provider and procedure code, researchers and investigators can build comparative billing baselines. A provider billing Medicare for a volume of services that is statistically implausible for a single practitioner in a given specialty is an anomaly that warrants scrutiny. The OpenMedicare.us project, which has analyzed over 1.72 million providers using publicly available CMS billing data cross-referenced with the LEIE fraud record, represents one example of what open data investigation of Medicare billing patterns can produce.
CMS operates the Fraud Detection Operation Center (FDOC), which uses the Fraud Prevention System developed and operated by contractor Peraton. This system applies machine learning to flag suspicious billing patterns before payment is made. As of 2025, CMS reported the system has saved the federal government $13 billion over the preceding decade. The FDOC is not a public-facing tool, but its existence documents that AI-assisted billing anomaly detection is operationally deployed at the federal level.
Operational Security: Investigating Without Contaminating
OSINT investigations carry a documented risk that is distinct from legal questions: alerting targets. Most online platforms log access, and depending on the system, a target may receive notifications or see IP addresses in analytics when a profile is viewed. Standard investigative practice calls for maintaining operational security throughout the collection phase.
Start with passive collection modes (archive.org, cached pages, downloadable databases) before making any direct queries that could generate a notification or access log entry at the target. SpiderFoot’s “Passive” mode is designed for exactly this. Maltego’s anonymized investigation features support chain-of-custody documentation without exposing the investigator’s IP.
Investigators should run OSINT tools through virtual machines or isolated environments, not on primary work devices. SpiderFoot’s documentation explicitly notes the recommendation to use a virtual environment such as Google Cloud Shell to prevent malware exposure and to preserve personal operational security. Cross-reference results using multiple tools, because false negatives in any single tool are documented.
The Reporting Infrastructure: Where Evidence Goes
Investigation without a documented reporting path is incomplete. The federal reporting infrastructure for disability and healthcare fraud includes distinct channels depending on the program involved.
For Social Security disability fraud, the SSA OIG fraud reporting form is at oig.ssa.gov. The hotline is (800) 269-0271. Reports can be anonymous. The SSA OIG also accepts reports that document patterns rather than individual incidents: a report documenting that a specific medical practice has multiple patients whose billing profiles share structural anomalies is more actionable than an anecdotal single allegation.
For Medicare and Medicaid fraud, the HHS OIG hotline is (800) HHS-TIPS (800-447-8477). Online reporting is at oig.hhs.gov. The National Health Care Anti-Fraud Association (NHCAA) provides investigative resources for insurance-related healthcare fraud. Each state also maintains a Medicaid Fraud Control Unit: these are the front-line prosecutorial agencies for provider-side Medicaid fraud, and they are chronically understaffed relative to caseload.
The GAO has documented that Medicaid fraud detection is fragmented by design: claims data is distributed across states in multiple disparate systems and is not readily accessible to CMS on a consolidated basis. States have limited methods of identifying fraud by providers who move from state to state. This architecture means a provider excluded in one state can, without proper cross-referencing, continue billing in another. The LEIE is the primary safeguard against this pattern, but its effectiveness depends on covered entities checking it before enrollment.
What the Tools Cannot Do
OSINT tools are pattern-surfacing and hypothesis-generating instruments. They are not prosecutorial tools, and the distance between a documented pattern and a confirmed fraud finding is significant and legally important. Several constraints apply regardless of what an investigation surfaces.
An anomalous billing pattern is not evidence of fraud. It is a basis for a referral to an agency with subpoena authority. Medical records, claims data at the line level, and banking records require legal process to access. Investigators without that authority are limited to what is publicly available, and that limitation should be explicit in any documented finding.
Social media posts documenting physical activity by a disability claimant are potentially relevant to an SSA fraud investigation, but their evidentiary weight is contested. Context matters: a claimant whose disability is documented as episodic, or whose condition has variable symptom presentation, may engage in activities that appear inconsistent to a casual observer but are not inconsistent with the documented medical record. Investigators who overstate the evidentiary significance of social media activity risk producing findings that agencies cannot act on.
The standard for a referral to law enforcement is documented suspicion based on publicly verifiable information, not a conclusion of fraud. The standard for a published investigative finding is a documented paper trail connecting specific, verifiable facts to a pattern that, in the investigator’s documented assessment, is consistent with known fraud typologies. Neither standard is met by OSINT alone.
Sources and Documentation
Rita Williams, How to Investigate Medical and Government Disability Fraud: Open Source Tools That Actually Work, Clutch Justice (Apr. 10, 2026), https://clutchjustice.com/2026/04/10/investigating-disability-fraud-open-source-tools/.
Williams, R. (2026, April 10). How to investigate medical and government disability fraud: Open source tools that actually work. Clutch Justice. https://clutchjustice.com/2026/04/10/investigating-disability-fraud-open-source-tools/
Williams, Rita. “How to Investigate Medical and Government Disability Fraud: Open Source Tools That Actually Work.” Clutch Justice, 10 Apr. 2026, clutchjustice.com/2026/04/10/investigating-disability-fraud-open-source-tools/.
Williams, Rita. “How to Investigate Medical and Government Disability Fraud: Open Source Tools That Actually Work.” Clutch Justice, April 10, 2026. https://clutchjustice.com/2026/04/10/investigating-disability-fraud-open-source-tools/.
