Fraud Management & Cybercrime

More GAO Tests Show Obamacare Enrollment Woes

Bogus IDs Can Be Used to Sign Up for Coverage
More GAO Tests Show Obamacare Enrollment Woes

With the Nov. 1 launch of the next open enrollment period under Obamacare looming, a government watchdog agency says its tests during open enrollment the past two years identified problems with the enrollment mechanism that could lead to fraud.

See Also: Webinar | The Cost of Convenience: Exploring the Risks of Password Reuse

But the Government Accountability Office has yet to issue its recommendations for addressing the problems it discovered during the open enrollment periods in the fall of 2013 and 2014 (see GAO Test Finds Healthcare.Gov Enrollment Flaws). GAO says that its test results are still preliminary, and notes: "The undercover [test] results, while illustrative, cannot be generalized to the full population of enrollees."

Two Reports

The latest GAO report mirrors similar findings in an earlier report issued in July that outlined the results of tests of other federally facilitated exchanges during the open enrollment season in the fall of 2013. In that study, GAO determined it was easy for 11 of 18 fictitious applicants to fraudulently enroll in subsidized Obamacare coverage using bogus ID information.

The newest GAO report, which looked at both federally facilitated and state-run exchanges, found similar results for open enrollment tests last year, with fictitious applicants gaining enrollment in Medicaid as well as Obamacare health.

Security expert Mac McMillan, CEO of the consulting firm CynergisTek, says the GAO findings spotlight critical problems that need to be addressed.

"I'd say this is a serious indictment of the lack of management oversight and controls in this process by the federal government," he says. "The government needs better controls for identity proofing, and we need them to get them now. Fraud is already out of control in healthcare, and this is just inexcusable."

The federal HealthCare.gov health insurance exchange facilitates the electronic health insurance marketplaces for 34 states under the Affordable Care Act, also known as Obamacare.

For the study of last year's open enrollment season, the GAO tested application and enrollment controls for obtaining subsidized Obamacare healthcare insurance coverage available through the federally facilitated health insurance marketplaces in New Jersey and North Dakota and state-operated marketplaces in California and Kentucky. GAO also tested enrollment in Medicaid programs on those same exchanges.

"Our undercover testing for the 2015 coverage year found that the healthcare marketplace eligibility determination and enrollment process remains vulnerable to fraud," GAO wrote.

For its test of application and enrollment controls for subsidized Obamacare health plans on the exchanges, GAO created 10 fictitious applicants using fake identities and other bogus information. "Although eight of these 10 fictitious applications failed the initial identity-checking process, all 10 were subsequently approved by the federal marketplace or the selected state marketplaces," GAO writes in its latest report, issued on Oct. 23.

Four of the fake applications used Social Security numbers that had never been issued, such as numbers starting with "000," GAO reports. In other cases, applicants had duplicate enrollment or falsely claimed their employer did not provide insurance that meets minimum essential coverage, the agency says.

Medicaid Applications

In additional tests, GAO was able to obtain either Medicaid or alternative subsidized coverage for seven of eight fake applicants.

"In each case, GAO provided identity information that would not have matched Social Security Administration records," the latest report notes. For two applications, the marketplace directed the fictitious applicants to submit supporting documents, which GAO did - such as submitting a fake immigration card - and the applications were approved, the agency report. For the third fake applicant, the marketplace did not seek supporting documentation, and the application was approved by phone, GAO notes.

GAO plans to issue a final report on these findings at a later date.

The Congressional Budget Office estimates the cost of subsidies and related spending under Obamacare will total about $60 billion for fiscal year 2016, the GAO notes. The Affordable Care Act requires verification of applicant information to determine enrollment or subsidy eligibility. In addition, Obamacare provided for the expansion of the Medicaid program.

HHS Response

In a statement provided to Information Security Media Group, a spokeswoman for the Department of Health and Human Services notes: "The marketplaces, whether state-based or [federally facilitated], have a multi-layer verification process for applications, including checking identity and eligibility in real-time using the Data Services Hub and trusted sources - safeguards that blocked the GAO investigators' initial attempts to enroll."

The spokeswoman also noted: "We are always working to improve our programs and focus our efforts on safeguarding taxpayer dollars where it is likely that they are at risk. We have ended the enrollments of 423,000 individuals because they failed to provide sufficient documentation to properly verify their identities, and adjusted the tax credits of 967,000 households whose income could not be properly verified."

HHS lamented the lack of recommendations from the GAO.

"When we are provided with information that we can use to improve the marketplace, we take action," the spokesperson said. "That's why we have repeatedly requested and remain disappointed to still not have received from the GAO specific details and recommendations relating to their fraudulent applications to enable us to analyze and understand what occurred and whether we can make improvements to our processes or procedures."

It's important to consider whether it's likely that uninsured Americans would likely provide false information in violation of federal law, which could subject the individual to up to a $250,000 fine, the HHS spokeswoman said. "It seems unlikely that many uninsured Americans ... would choose to commit perjury in order to pay the premiums and deductibles for ... insurance policies or to pay premiums for marketplace insurance when eligible for Medicaid," she says. "In addition, the ACA's design reduces the incentive for individuals to lie on their application because financial assistance is paid directly to the issuer, so an individual cannot directly profit."

The federal government recently added new privacy features to the HealthCare.gov health insurance exchange (see Obamacare: Latest Privacy, Security Steps). Meanwhile, state-operated insurance exchanges in Connecticut and Maryland have recently said they are also taking measures to address security weaknesses that were recently spotlighted in recent state auditor reports.

GAO did not immediately respond to ISMG's request for comment on when the agency plans to issue recommendations to HHS regarding GAO's undercover test findings.

Steps to Take

McMillan, the security consultant, suggests states and the federal government can take a number of measures to help bolster identity verification processes for the Obamacare exchanges.

"There are several things the Feds can consider, like making national ID databases accessible to those handling requests; improving the Social Security identification system to include Social Security cards with photo ID and chip; and providing for an investigatory period to validate applications prior to final approval," he says.

While the private healthcare insurance sector is also at risk for fraud involving fake IDs, McMillan says many of those organizations probably have tighter controls "because for them it's a business, they are vested in their accuracy and they likely have better visibility into their workforce."

On the other hand, he notes, "the government suffers from many bureaucratic ailments, like disenfranchised workers who are simply pushing applications from one side of the desk to the other and who get recognized by how many they process as opposed to how many they catch that are wrong."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.