Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Medicare and Medicaid Payments to Providers Are at Risk of Diversion Through Electronic Funds Transfer Fraud Schemes

Issued on  | Posted on  | Report number: OEI-07-23-00180

Report Materials

Why OIG Did This Review

  • OIG identified a fraud scheme in which fraudsters diverted Federal and State payments intended for providers. Specifically, individuals purporting to be hospital providers have targeted the Medicare and Medicaid programs by submitting fraudulent electronic funds transfer authorization requests or other schemes to divert payments for providers to fraudsters.
  • There is a potential for large losses associated with electronic funds transfer fraud, given how widely electronic funds transfer transactions are used within the health care industry. Recently, fraudsters who were able to gain unauthorized access to email accounts targeted the HHS grant Payment Management System, leading to millions of dollars in losses in 2023.

What OIG Found

  • Two-thirds of surveyed entities that process payments for Medicare and Medicaid (i.e., payors) reported that they were aware of being targeted by electronic funds transfer fraud schemes, some of which were frequent or recurring.
  • Medicare and Medicaid payors most frequently reported using verified communication channels or knowledge-based methods to confirm electronic funds transfer changes.
  • Some Medicare and Medicaid payors described employing security measures that align with recommendations from expert groups.
  • CMS took some steps to mitigate threats from electronic funds transfer fraud schemes in Medicare.
  • Nearly three-fifths of surveyed Medicare and Medicaid payors expressed interest in implementing additional measures to mitigate electronic funds transfer fraud threats, but some reported challenges or barriers to implementation.

What OIG Recommends

OIG recommends that CMS:

  1. Engage Medicare Administrative Contractors on improving security measures.
  2. Share information with State Medicaid agencies to help improve security measures.
  3. Support periodic information sharing to mitigate evolving threats of electronic funds transfer fraud schemes.

CMS did not explicitly state its concurrence or nonconcurrence with the first two recommendations as initially drafted; OIG has altered these recommendations slightly to clarify OIG’s intent. CMS did not concur with the third recommendation.

25-E-07-017.01 to CMS - Open Unimplemented
Update expected on 08/24/2025
CMS should engage Medicare Administrative Contractors regarding opportunities and barriers to improving security measures for EFTs that were reported in response to OIG's survey.

25-E-07-017.02 to CMS - Open Unimplemented
Update expected on 08/24/2025
CMS should share information with State Medicaid agencies to help address challenges implementing security measures to protect against EFT fraud.

25-E-07-017.03 to CMS - Open Unimplemented
Update expected on 08/24/2025
CMS should support periodic information sharing among Medicare and Medicaid payors and expert groups to mitigate evolving threats of EFT fraud schemes.

View in Recommendation Tracker
Report Type
Evaluation
HHS Agencies
Centers for Medicare and Medicaid Services
Issue Areas
Financial Stewardship Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Medicaid Medicare A Medicare B

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.