GAO: Obamacare Enrollment Fraud Vulnerabilities PersistWatchdog Agency Says Problems Date Back Three Years
An undercover test by a federal watchdog agency found that previously identified process-related weaknesses persist that could potentially allow individuals to fraudulently enroll in subsidized health insurance programs via federal and state online insurance exchanges under the Affordable Care Act.
Findings in the newly released Government Accountability Office report about the undercover test conducted by the watchdog agency during the 2016 open-enrollment period for ACA - also commonly called Obamacare - are similar to GAO's earlier findings in similar tests conducted in 2014 and 2015 (see More GAO Tests Show Obamacare Enrollment Woes).
Meanwhile, an official from another watchdog agency - the Department of Health and Human Services' Office of Inspector General - told Congress about various security concerns, including patch management vulnerabilities, regarding Obamacare federally facilitated and state insurance marketplaces.
HHS' Centers for Medicare and Medicaid, which administers Obamacare programs, says it's addressing the GAO and OIG concerns while it awaits further recommendations to address the enrollment issues.
Undercover Test Details
The latest GAO testing for the 2016 coverage year found that the online healthcare marketplaces' eligibility determination and enrollment processes remain vulnerable to fraud.
In the test, GAO submitted 15 fictitious applications for subsidized coverage through the federally facilitated online marketplaces in Virginia and West Virginia and through the state-operated online marketplace in California. GAO's fictitious applications tested verifications related to two key requirements:
- Applicants making required income-tax filings;
- Applicants' identity or citizenship/immigration status.
GAO says the insurance marketplaces initially approved coverage and subsidies for all of GAO's 15 fictitious applicants.
At a Sept. 14 House Energy and Commerce Committee hearing about the Affordable Care Act, Seto Bagdoyan, director of the GAO's forensic audits and investigative service, said the fraudulent enrollees were approved for a total of about $60,000 in ACA subsidies.
While subsidies under ACA are generally not paid directly to enrollees, participants nevertheless benefit financially through reduced monthly premiums or lower costs, such as copayments, due at time of service, GAO notes in the report.
The estimated total cost of subsidies and related spending under the ACA is $56 billion for fiscal year 2017, and $866 billion for fiscal years 2017-2026, Bagdoyan noted in his written testimony for the hearing.
GAO notes in its comments about its undercover test: "The results, while illustrative, cannot be generalized to the full population of enrollees."
Some security experts, however, say it's alarming that GAO's fraudulent applicants obtained initial approval for enrollment.
"Based on the GAO's results, it appears this could be a significant problem," says Mac McMillan, CEO of security consulting firm CynergisTek. "If you focus on the percentage of success, not the number of cases, since the number of cases is statistically insignificant, you come away with the impression that it is extremely easy to defraud the system."
GAO Test Findings
GAO says that although all 15 fictitious applicants were initially approved by the marketplace, three were unable to put their health coverage policies in force because their initial payments were not successfully processed. GAO then focused its testing on the remaining 12 applications.
GAO says it then used the same fake identities for four of those applicants that had obtained coverage in its 2014 undercover testing. Although none of those fictitious applicants filed a 2014 tax return, all four were also approved for 2016 subsidies.
The report notes that marketplace officials told GAO that they allowed applicants to "attest" to filing taxes if information from the IRS indicated that the applicant did not file tax returns. GAO notes that marketplace officials said one reason they allow attestations is a "time lag" between when tax returns are filed and when they are reflected in IRS's systems for verification in marketplace enrollment processes.
For eight applications, GAO used new fictitious identities to test verifications related to identity or citizenship/immigration status and, in each case, the fake applicants successfully obtained subsidized coverage.
When the insurance marketplaces directed 11 of the 12 fake applicants to provide supporting documents, GAO says it submitted fictitious documents with mixed results. For instance, for five applications, GAO provided all documentation requested and the applicants were able to retain coverage. Meanwhile, for three fictitious applications, GAO did not provide any of the requested documents, and the marketplace terminated coverage for one applicant, but it did not terminate coverage for the other two.
Similar findings in GAO's 2014 and 2015 undercover tests prompted the watchdog agency to make eight recommendations to the Department of Health and Human Services' Centers for Medicare and Medicaid Services in February 2016 to address the various weaknesses. CMS administers programs under ACA, including the federally facilitated HealthCare.gov, which operates marketplaces for 34 states.
Among the GAO's recommendations was that CMS identify and implement procedures to resolve Social Security number inconsistencies where the marketplace is unable to verify Social Security numbers or applicants do not provide them.
GAO also recommended CMS conduct a fraud risk assessment "consistent with best practices provided in GAO's framework for managing fraud risks in federal programs, of the potential for fraud in the process of applying for qualified health plans through the federal marketplace."
The report notes that CMS concurred with GAO's recommendations and is in the process of implementing them.
During the Sept. 14 Congressional hearing, an official from another watchdog agency also testified about concerns, including security issues, regarding the federally facilitated and state insurance marketplaces under ACA.
"Because the state marketplaces handle consumers' personally identifiable information, OIG identified the security of the marketplaces' data and systems as a critical oversight area, said Gloria Jarmon, deputy director of general audit services of HHS Office of Inspector General, in her written testimony.
CMS requires that marketplaces follow federal IT security standards and additional requirements, including standards related to monitoring, periodically assessing, and updating security controls; and developing and using secure electronic interfaces, she noted.
To date, HHS OIG has completed reviews of data and systems security in five states and is close to completing reviews of two others, she said.
"All states for which we have completed reviews implemented some security controls to protect PII; however, vulnerabilities existed in those states, and each had at least one vulnerability that, if exploited, could have exposed PII and other sensitive information," she testified.
For example, OIG found that multiple states had weaknesses in patch and vulnerability management and failed to conduct required periodic penetration testing.
"States generally agreed with our recommendations to improve security and in many instances reported that they took immediate action to correct vulnerabilities identified by OIG," Jarmon said.
In a statement to Information Security Media Group about the watchdog agencies' findings, a CMS spokesman says, "The [ACA] marketplace takes seriously the responsibility to protect taxpayer funds, while making coverage available to eligible people. We have a robust verification process to make sure people get benefits they are eligible for while protecting taxpayer dollars.
"Within HealthCare.gov we have multiple checks to verify that applicants provide correct eligibility information on their applications, and GAO [in the undercover testing] deliberately circumvented those checks by giving false information, which is against the law for actual applicants."
The spokesman said CMS is still awaiting more specific recommendations from GAO based on the results of the fraudulent applications testing. "Specific and actionable information will enable us to analyze and understand what occurred and whether we can make improvements to our processes or procedures."
In the meantime, CMS has implemented 109 OIG recommendations and has submitted another 124 for review. CMS is currently responding to more than 180 OIG and GAO audits across CMS programs.
Among GAO fraud prevention recommendations being implemented at CMS is application of a "marketplace fraud risk assessment" to areas of eligibility and enrollment to identify and prioritize key areas for potential risk in the marketplace, CMS says. In addition, CMS says it's working closely with healthcare issuers through its Healthcare Fraud Prevention Partnership to identify trends, schemes and specific bad actors. That includes CMS expanding use of proactive data analytics.
Multiagency Fix Needed?
Overall, when it comes to addressing weaknesses that GAO identified in the enrollment process, consultant McMillan says those will likely require a multiagency approach to fix.
"Some of the recommendations suggested affect other agencies and programs, such as Social Security, for example," he says. "So solving them will require more than what CMS can muster internally. When the goal shifts from enrollment to accuracy in coverage, things will change - maybe."