IG: IRS Obamacare System Open to Fraud

Sen. Hatch Calls System 'Fraudsters' Dream Come True'
IG: IRS Obamacare System Open to Fraud
Sen. Orrin Hatch, left, says the IRS needs to provide more safeguards.

The IRS system that would allow eligible taxpayers to use refundable tax credits to help pay for health insurance under the Affordable Care Act wasn't built to detect fraud, a just-issued audit reveals.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

"Without a fraud detection and mitigation strategy, the ACA program may not have assurances that ACA systems adequately address emerging fraud control requirements," according to the audit from the Treasury Inspector General for Tax Administration issued this week. "Without adequate fraud mitigation controls, the IRS may be unable to identify ACA refund fraud or schemes prior to the issuance of erroneous refunds."

After reviewing the audit, Sen. Orrin Hatch, R-Utah, the ranking member of the Senate Finance Committee and an Obamacare critic, characterizes the IRS system as "a fraudsters' dream come true."

The audit also says the IRS needs to improve the system to assure proper implementation of configuration and change management, interagency test management processes and security.

Quick Action Needed

Russell George, the Treasury Department's inspector general for tax administration, says the IRS needs to act quickly to prevent fraud. "With the healthcare exchanges open for business, it is imperative that the IRS ensure the accuracy and completeness of premium tax credit and advanced premium tax credit calculations and ensure the security of information provided by taxpayers to the IRS and subsequently transmitted to other government entities," George says.

According to the audit, IRS documents fail to address management's responsibility to manage, monitor and mitigate fraud in developing a new information system for Obamacare. "It is important for the IRS to thoroughly consider fraud threats and risks that could impact new ACA systems," the inspector general says. "Robust fraud mitigation controls and new systems are required to reduce improper and erroneous payments and fraud risk."

The IRS fraud handbook defines fraud, but not for the healthcare system, the audit notes. A briefing document prepared for auditors by the IRS ACA program management office outlined the agency's continuing fraud mitigation approach for the ACA systems, but the program management team acknowledged that this approach wasn't part of an established fraud mitigation strategy for ACA systems.

The IRS has notified auditors of two new systems being developed to help address fraud risk. "However," the inspector general says, "until these new systems are successfully developed and tested ... the IRS's existing fraud detection system may not be capable of identifying ACA refund fraud or schemes prior to the issuance of tax return refunds."

Mac McMillan, chair of the privacy and security policy task force for the Healthcare Information and Management Systems Society, a not-for-profit association for those involved in healthcare IT, says the IRS should take healthcare fraud seriously. "It's the most costly white collar crime in America accounting for multi-billions in dollars," he says. "What's amazing is that we would allow a system this massive in potential impact be deployed without proper fraud detection."

McMillan, CEO of the consultancy CynergisTek, says fraud detection systems rely on data analytics, behavioral analysis and predictive analysis. "Catching fraud is a matter of identifying the anomalous behavior, seeing the pattern and analyzing the activity," he says. "Building fraud detecting schemes into software used for processing claims can lead to early detection and therefor lower costs."

Fraud Mitigation

The IG report recommends that IRS Chief Technology Officer Terence Milholland ensure that the ACA program completes a comprehensive fraud mitigation strategy to guide systems development, testing and implementation. It also recommends that the IRS manual be updated to effectively manage, monitor and mitigate fraud risk for IT systems.

The IRS concurs with those recommendations. But it contends that there is no fraud risk with the advanced premium tax credit calculator or the income and family size verification process in version 3.0 of the ACA system, which went live in October.

Milholland, in his response to the IG's audit, says the IRS has developed an action plan for any issues identified by auditors. "The IRS has a consistently strong focus on both securing its information technology systems and guarding against tax administration fraud," he says. "As part of our process, our cybersecurity organization has completed the security assessment report and a risk mitigation plan since the closing of the audit in accordance with National Institute of Standards and Technology guidelines."

But Milholland's assurances didn't deter Hatch from showing his lack of faith in the IRS.

"The very nature of these credits - pay first, verify a person's income later - will lead to potentially hundreds of billions of dollars of improper payments and could put millions of American's personal information at risk," Hatch says. "While the IRS needs to do more to ensure more safeguards are put in place, the fact is that the problems with these tax credits are deeply rooted in the law itself. I fear the IRS will never be fully capable of ensuring that these refundable tax credits got to those who are truly eligible."

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.