The Program Integrity Checklist: How State and Local Governments Can Mitigate Fraud and Abuse

Federal relief funding was intended to give those devastated by the coronavirus pandemic a financial shot in the arm. Instead, hundreds of millions of taxpayer dollars landed in the hands of brazen fraudsters. But it’s not all bad news: Public sector entities now have a clear roadmap from those lessons learned to avoid similar instances going forward. 

The Coronavirus Aid, Relief, and Economic Security Act was passed in March 2020, followed by the American Rescue Plan Act nearly a year after. This funding was meant to help state and local governments, businesses and citizens recover from pandemic-related financial loss. But criminals jumped at the opportunity to take advantage of these initiatives, costing many Americans access to the benefits they needed to stay afloat. 

In March, the Justice Department reported it charged 474 defendants with fraud or other criminal schemes related to the pandemic over the past year. In these cases, criminals attempted to scam the government and public out of over $569 million.

In fact, a quick scan of the Justice Department’s coronavirus-related fraud news reveals headline after headline of statewide criminals sentenced for COVID-19 relief fraud schemes, unemployment benefits fraud, misappropriation of Payment Protection Program loans and more. 

These cases cracked open various security and infrastructure challenges government and industry can work through together to ensure this type of fraud doesn’t repeat itself. 

How Did This Happen?

According to Linda Miller, principal at Grant Thornton advisory services and former executive director of the Pandemic Response Accountability Committee, cyber has become the channel of choice for fraud, and at the heart of fraud is information theft. Advancements in technology are expanding the pool of opportunity for information and identity theft, as illustrated by the sheer number of data breaches the country has experienced in recent years. 

“Pretty much every American's data has been compromised to some degree, [and] most have been involved in multiple breaches,” Miller says. “The pandemic has created an opportunity for fraudsters to capitalize on all that stolen data.”

It was the perfect storm: the amount of personally identifiable data available on the dark web for sale made it easier to create fake identities that can be used to apply for benefits. 

While Miller said that so far it appears that state unemployment insurance programs were most affected by these schemes, the Department of Health and Human Services Office of Inspector General also reported scammers posing as credible state or medical officials via telemarketing calls, text messages and social media platforms. 

These criminals would offer COVID-19 tests, HHS grants and Medicare prescription cards in exchange for personal details. They would then use identity data to fraudulently bill federal health care programs and commit medical identity theft.

These schemes, however, didn’t surprise Miller. 

It’s fairly easy to commit identity-based crimes, and state systems were already overwhelmed during the pandemic. 

“We saw an increase in organized criminal enterprises, and many of these foreign actors defrauded unemployment programs in all 50 states,” Miller says.

Had states been able to identify where an applicant was using an IP address that was located in a foreign country, they could have potentially stopped this type of crime, she adds. 

“It was just a perfect storm of huge amounts of money being disbursed very quickly by overwhelmed state and federal agencies confronted with sophisticated fraud actors armed with stolen data and sophisticated tools,” Miller says. 

Understanding the Infrastructure Gaps 

Miller outlines three major gaps in state and local infrastructure that exposed vulnerabilities to cybercriminals and fraudsters. 

The first is a lack of validation of self-reported information.

“The Small Business Administration (SBA) Inspector General reported that the SBA loan programs ‘lowered the guardrails’ with regard to controls and relied on self-attestation — just taking the people at their word — for eligibility determinations,” Miller says. “That’s just an invitation for people to misrepresent themselves and their eligibility.” 

Instead, these programs could have required beneficiaries to upload documents to verify applicant eligibility. 

The second gap, Miller says, is the use of outdated systems at the state and local level, like COBOL — a computer programming language created in 1959. These systems can’t implement the kinds of data checks and data matches required to rule out ineligible applicants. 

Lastly, in the pandemic unemployment assistance program, many states did not access data they needed to cross-reference applicant information — even though there is a data hub set up for that purpose.

Data Sharing is Critical to Mitigating Fraud and Abuse

The type of data state agencies need to share is bound by privacy and security walls. There are also barriers to sharing information because of liability and loss of data concerns. 

“Congress is going to need to get involved to help provide some more flexibility in how agencies can share data,” Miller says. 

Ultimately, the government will need to revisit data privacy rules so agencies can share more information more easily. But even if policies change, this won’t happen overnight. 

“States either have [data] in a non-digitized format, or they have it in a way that even if it's electronic, they are hesitant to share it with one another,” Miller says. “The data-sharing legal and technology problems are the biggest things to solve going forward.”

Crafting a Strategy for Fraud Detection, Prevention 

Miller says agencies should start with assessing the data they already have and going after easily collectible applicant data. They should also be checking if applicants are applying to duplicate programs within their own agencies, which is often not allowed. 

“My biggest message to agencies is to do something, because right now, there's just so little being done in terms of data checking prior to making a payment,” Miller says. 

An appetite for change needs to start at the senior level, and sentiments are already changing based on the high volume of pandemic-related fraud. A 2021 Grant Thornton survey found 38% of government and regulatory organizations upped their budgets for anti-fraud technology, making it the most common area for increased investment.

Congress provided the Centers for Medicare and Medicaid Services with the funds to stand up the only Center for Program Integrity within a federal agency. While most agencies aren’t receiving this kind of funding, it could provide a model for big agencies to develop a standalone integrity office with goals, metrics and accountability built in. 

Moreover, top-down pressure is needed to implement the proactive and preventative analytic capabilities and data-matching tools to detect anomalies and mitigate fraud going forward. Data visualization tools can track and analyze applicant data, so agencies can more easily manage risk.

Tamara Reynolds, Grant Thornton’s managing principal of state and local, suggests agencies that have not implemented robust preventative fraud risk controls consider applying potential controls on a sample of payment transactions. This will enable agencies to quantify fraud risk exposure. While not a preventive measure, this information can be used to justify and prioritize what they will need to implement.  

Preventing Fraud Amid Disaster

Whatever the future may hold, state and local governments must prepare and protect themselves from fraud so federal funding gets into the right hands. 

“The pandemic has seen increasingly sophisticated mechanisms to perpetrate fraud due to the remote use of more technologies,” Reynolds says. “Citizens, businesses and agencies need to remain alert and recognize that fraud risk management requires technological know-how. Schemes are not as straightforward as falsifying records when applying for benefits — fraud is being perpetrated at scale, and the dollars are getting bigger and bigger.”

The technologies used today, like two-factor authentication and biometric tools, won’t work on more sophisticated fraud schemes. As agencies continue to struggle with basic system vulnerabilities, fraudsters will leverage dark web marketplaces and spoofing technology. 

“I do think that there's a healthy level of alarm that agency leadership would be right to feel,” Miller says. “They need to be taking this way more seriously, and I think the pandemic did provide that wake-up call for many agency leaders.”