Been there, done that. It was the early 90’s. I inherited a Medicare billing system. Sites were in four states. When you’re sloshing around in the innards, you sees a lot. Including, during testing (“What the heck does THIS chunk do???”) Medicare fraud. Telling the client is profoundly stupid. They are the perps, after all. So I collected data. Procedures performed, procedures billed. When I had many pages illustrating the creative mis-match, I anonomouly sent hard copy to the equivalent of Medicare’s Fraud Division. First response took six months. Client A got audited, audited, and audited some more, then fined. Action on the second site took over a year to commence. Client B got fined and shut down. So that was cool.