Federal authorities tackle the issue of fraudulent grant disbursements within HHS
The Office of Inspector General (OIG) for the Department of Health and Human Services (HHS) has uncovered a significant fraudulent activity in the Health and Human Services grant payment system. Over a nine-month period from March 2023 to January 2024, bad actors diverted nearly $8 million from legitimate grantees.
The fraudsters gained access to the Payment Support Center's (PSC) payment system by using fake grant recipient email addresses to request access. Once they gained access, the bad actors masqueraded as grant recipients and requested bank account changes, either diverting grant payments to their own bank accounts or waiting for grant recipients to request a grant payment, which was then diverted.
In response to this incident, OIG has made specific recommendations to prevent future fraud in the grant payment system, primarily focusing on strengthening internal controls to identify and reduce improper payments and fraud risk.
Key recommendations include:
- Corrective Actions for Improper Payments: OIG has recommended refunding improper payments identified in grant applications, as demonstrated in a recent audit related to the Michigan Department of Health and Human Services.
- Enhancing Internal Controls: OIG urges HHS to improve oversight, verification, and monitoring processes within grant administration to mitigate fraud risk.
- Use of Data Analytics and Investigations: HHS OIG supports using enhanced data mining, predictive modeling, and artificial intelligence tools to identify high-risk providers and anomalies in billing and grant applications.
- Suspension and Debarment Checks: HHS policy requires regular checks of the System for Award Management (SAM.gov) to ensure ineligible parties do not receive grants.
Regarding the PSC, OIG found that the centre did not have effective internal controls to prevent fraudulent transactions. PSC did not conduct adequate risk management and implement all required cybersecurity controls to protect the payment management system.
In response, Tamara Lilly's office made six recommendations to improve PSC's controls over its grant payment system. These recommendations included implementing additional cybersecurity controls, finalising and implementing bank account verification processes, and developing standard operating procedures. PSC concurred with all six of the recommendations and has shared initial plans to mitigate the risk.
PSC has been taking and continuing to implement corrective actions since the fraud was detected in January 2024. Tamara Lilly suggests starting with the GAO's Green Book for establishing a solid internal control structure, OMB circulars and memos for risk assessment and implementing cybersecurity controls, and NIST publications for specific cybersecurity controls.
Tamara Lilly, the Assistant Inspector General for the Office of Audit Services at the Department of Health and Human Services, encourages all entities to assess their risks, implement controls to mitigate those risks, train staff, and regularly verify that controls are working effectively. By following these recommendations, entities can better protect their grant payment systems from fraud.
- In light of the $8 million fraud discovered in the Health and Human Services grant payment system, it's crucial for the federal workforce to reevaluate its internal controls to prevent future incidents.
- The fraudulent activity in the PSC's payment system has highlighted the need for PSC to strengthen its cybersecurity controls, enhance bank account verification processes, and establish standard operating procedures.
- In the wake of the OIG's findings, businesses and general-news outlets should pay close attention to crime-and-justice reports, as such incidents can have far-reaching impacts on the finance sector and the overall workforce.
