HHS-OIG Audit Uncovers Fraud Control Failures Within HHS Grant Payment System
The Department of Health and Human Services Office of Inspector General (HHS-OIG) has recently published the findings of an audit of the HHS’s Program Support Center (PSC) grant payment system. The audit sought to establish whether effective internal controls, policies, and procedures had been implemented for preventing fraudulent transactions, and was conducted in response to $7.8 million in grant funds being fraudulently transferred to criminals’ bank accounts between March 2023 and January 2024. The fraudulent activity related to ten grants awarded to seven HHS recipients.
According to HHS-OIG, malicious actors used fake email addresses for grant recipients to compromise the PSC grant payment system. The bad actors deleted legitimate users, changed contact information, and requested that payments be sent to their own bank accounts. The bad actors were able to divert more than $10 million in grant funds to their own accounts, although the banks rejected some of those transfers, resulting in a net loss to the HHS of $7.8 million.
The HHS-OIG audit looked specifically at the PSC’s internal and cybersecurity controls and IT risk management for the payment system and associated business processes. The audit confirmed that effective controls had not been implemented for preventing fraud and communicating and acting on reports of fraudulent activity. There were also risk management failures and a failure to implement required cybersecurity controls, such as conducting timely vulnerability scans, reviews, and approvals, and mitigating weaknesses.
The payment system is one of the most widely used grant payment systems in the federal government. In 2023 alone, the system processed more than 499,000 transactions totaling more than $860 billion. The payment system is fully automated to receive payment requests, edit payments for accuracy and content, and transmit payments to the Federal Reserve Bank or the Department of the Treasury to deposit funds into the bank accounts of grant recipients.
HHS OIG Exclusions List
What You Need To Know
Get The 6 Essentials Checklist For Compliance Officers
A link to your download will be sent to your email address
Your Privacy Respected
HIPAA Journal Privacy Policy
Grant recipients are able to make changes to their bank account information from within the payment system, and staff at Payment Management Services approve, confirm, and review all requests, either by calling and sending email notifications to the grant recipient’s primary point of contact for verification of the legitimacy of the request.
One of the key errors identified by HHS-OIG was a lack of effective controls for communicating fraudulent activity to stakeholders in a timely manner. For instance, in March 2023, the first fraudulent transfer occurred, a diverted grant payment of $643,733. The correct recipient of the grant funds reported the fraudulent activity on March 28, 2023; however, effective actions were not taken to address the issue, resulting in a further $7 million being fraudulently transferred over the following nine months.
HHS-OIG said internal controls had not been designed and implemented for escalating and disseminating information on fraudulent activity within the payment system to PSC leadership, grant awarding agencies, and grant recipients. The Payment Management Services Director did not inform PSC leadership about the fraudulent transfer in March 2023, or further fraudulent transfers between August 2023 and December 2023, until January 2024.
The Payment System Information System Security Officer (ISSO) acted on the March 28, 2023, report and, on April 5, 2023, determined that the fraudulent activity was not a cyber event; therefore, it did not fall within the ISSO’s responsibilities. The Payment Management Services Director then reported the incident to HHS-OIG, but failed to report the incident to PSC leadership, which only learned about the fraudulent activity nine months later, and even then, the notification did not come from Payment Management Services; it came from the grant awarding agency.
When the grant awarding agency notified PSC leadership of the fraudulent activity, login controls were updated. Then, one year after the first fraudulent transfer, the PSC used the payment system to send a system-generated email to grant awarding agencies and grant recipients informing them about an “identity harvesting campaign” against grant recipients.
The emails failed to refer to any specific incidents, did not ask the grant recipients to check their account information to make sure the correct bank account information was in the system, or instruct them to contact Payment Management Services if any incorrect information was identified. HHS-OIG said that including that information would have made the communications more effective.
HHS-OIG found that PSC’s approach to risk management was siloed and failed to address the risk of bad actors gaining access to the payment system. PSC’s actions since the detection of fraud have reduced fraud risk, but PSC has not done enough to reduce risk, as its actions were not based on a comprehensive fraud risk management process. HHS-OIG also found that PSC took action in response to fraud but should have been proactively implementing strategies for fraud prevention, and that there is considerable scope for improving oversight, risk management, and mitigating controls.
HHS-OIG made six recommendations for improving PSC’s control of the grant payment system. They include implementing a control environment in accordance with the GAO: A Framework for Managing Fraud Risks in Federal Programs; implementing automated verification processes for bank account changes; conducting information system level risk assessments in accordance with NIST guidance; effectively implementing controls for conducting required IT system vulnerability scans, reviews, and approvals; and performing timely mitigation of payment system weaknesses.
HHS-OIG also recommended implementing standard operating procedures that specify how risks and vulnerabilities to the payment system will be assessed and tested, for payment system escalation and information dissemination in the event of fraud detection, and verification processes for all bank accounts. PSC concurred with all the recommendations and is working on implementing those recommendations.
