Fraud Management & Cybercrime

GAO Test Finds Enrollment Flaws

11 Out of 12 Fake Applicants Enrolled, Got Subsidies
GAO Test Finds Enrollment Flaws

A government watchdog agency expects to make recommendations this fall for how application and enrollment controls on can be improved after a recent "undercover" test determined it was easy for 11 fictitious applicants to fraudulently enroll in subsidized Obamacare coverage.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

At a July 16 Senate Committee on Finance hearing, Seto Bagdoyan, director of the Government Accountability Office's forensic audits and investigative service, testified that a review of application and enrollment controls of for 2014 and 2015 found weaknesses that allowed 11 of 12 fake GAO applicants to enroll for subsidized healthcare coverage, despite failing to submit required verification documents.

Those fake GAO applicants, who applied by phone and online on the website, obtained a total of about $30,000 in annual advance premium tax credits Bagdoyan testified. GAO also issued a report on July 15 about the findings of its investigation.

"I think there are significant concerns here. Fraud is a huge issue in our industry that robs billions from productive purposes," says Mac McMillan, CEO of the security consulting firm CynergisTek. "The government is supposed to be rooting out and eliminating opportunities to commit fraud, not providing avenues to increase it. If these results are accurate, and literally it is this easy for 90-plus percent of those attempting to commit fraud, then it is definitely significant."

Huge Gaps?

The GAO investigation, which was requested by the Senate committee, "was designed to determine the degree to which the administration's federal health insurance exchange can protect against fraudulent applications, what happens when applicants provide false information and documentation and whether the controls are successful in dealing with irregularities once they are found," said committee chair Orrin Hatch, R-Utah. The GAO's investigation exposes "huge gaps" in federal exchange program integrity, Hatch contended.

The GAO review, however, isn't absolute proof that fraudsters are taking advantage of, some lawmakers responded. "The study looks at a dozen fictitious cases, and not one of them was a real person who filed taxes or got medical services. No fast-buck fraudster got a government check sent to their bank account," said Sen. Ron Wyden, D-Ore., ranking member of the committee.

While GAO cannot make generalizations about "real" potential fraudsters who might have enrolled so far on based on its review so far, security controls appear to be "focused on access to coverage over program integrity," Bagdoyan testified. CMS contractors, who handle document processing for the Affordable Care Act programs, also have not reported any cases of fraud to CMS, he said. However, looking for fraud "is not in the work order" for those contractors, he added.

GAO plans to issue a final report, with recommendations, in the fall. The agency also plans to examine "forensics of the entire enrollee database," Bagdoyan testified.

GAO Findings

In its review of, GAO performed 18 undercover tests, 12 of which focused on phone or online applications, the report notes.

During these tests, the federal marketplace approved subsidized Obamacare coverage for 11 of the 12 fictitious GAO applicants for 2014.

The 11 GAO applicants obtained a total of about $30,000 in annual advance premium tax credits, plus eligibility for lower costs due at time of service.

For seven of the 11 successful fictitious applicants, GAO intentionally did not submit all required verification documentation to the federal insurance marketplace, but the marketplace did not cancel subsidized coverage for these applicants.

"While these subsidies, including those granted to GAO's fictitious applicants, are paid to healthcare insurers, and not directly to enrolled consumers, they nevertheless represent a benefit to consumers and a cost to the government," GAO says in the report.

The fictitious GAO applicants included those who provided invalid Social Security identities, noncitizens claiming to be lawfully present in the United States and applicants who did not provide Social Security numbers.

"As appropriate, in our applications for coverage and subsidies, we used publicly available information to construct our scenarios. We also used publicly available hardware, software and materials to produce counterfeit or fictitious documents, which we submitted, as appropriate for our testing, when instructed to do so."

The control testing started in January 2014 and concluded in April 2015.

"GAO's undercover testing, while illustrative, cannot be generalized to the population of all applicants or enrollees," the report says. GAO shared details of its observations with CMS, which administers the Affordable Care Act and, during the course of its testing, the report notes.

"CMS officials told us there have been no cases of fraudulent applications or documentation referred to the U.S. Department of Justice or the HHS Office of Inspector General, because its document-processing contractor has not identified any fraud cases to CMS," the report notes. But the contractor is not required to detect fraud, nor is it equipped to do so. According to the CMS officials, there has been "no indication of a meaningful level of fraud," the report says.

GAO notes that with the website, CMS decided to move away from in-person authentication in order to avoid putting a "burden on consumers." CMS also told GAO also that "in-person presentation of documentation is not possible in the current structure, as there are insufficient resources to establish a system to do so."

Although GAO has not yet made recommendations for how the application and enrollment controls for Obamacare can be improved, McMillan, the consultant, suggests CMS cake several measures. "For one thing stop processing incomplete or inaccurate applications," he says. "Secondly ... employ an independent, third-party application verification [of enrollee information]. Third, require an account audit when significant changes are made in a record and [do] periodic audits to compare change requests to existing file information."

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.