“While the Justice Department is not aware of any specific reports of identity theft or other fraud resulting from this incident, the Department has ensured that those impacted have been offered fraud resolution services and credit monitoring,” Wyn Hornbuckle, a DOJ spokesperson, said in an email to FedScoop. “The investigation of this matter is ongoing.”

The response from the DOJ follows a public disclosure of the Boston-based consulting firm’s  breach last week on the Office of the Maine Attorney General’s website. According to that disclosure, first reported by TechCrunch, Greylock McKinnon Associates experienced a cyberattack in May 2023 that likely compromised Medicare information of 341,650 people, including their social security numbers. 

That information was obtained by the Justice Department “as part of a civil litigation matter” and given to the firm, which provides litigation support, in its “provision of services to the DOJ in support of that matter,” according to a letter GMA sent to people affected by the incident.

In that letter, GMA said it “detected unusual activity on our internal network” last May and “promptly took steps to mitigate the incident.” The firm said it worked with a third-party cybersecurity specialist in its response, notified DOJ and law enforcement, and in February, received confirmation of who was affected and their contact information. 

Hornbuckle said the firm notified the DOJ of the breach in May, “after which the Department required that Greylock identify those affected and immediately began its own process to address the breach.”

GMA could not be reached for comment. 

The post DOJ ‘not aware of any’ identity theft, fraud following consultant’s data breach appeared first on FedScoop.

In its 13th annual duplication and cost savings report, GAO identified 100 new matters and recommendations in 35 new topic areas for Congress or federal agencies to improve the efficiency and effectiveness of government. Some of the biggest potential savings identified in the report come from improvements to Medicare payments within the Department of Health and Human Services (HHS), nuclear waste disposal within the Energy Department, Navy shipbuilding, and IRS enforcement efforts.

“Congressional and agency action in these areas has yielded about $600 billion in cost savings and revenue increases. Addressing remaining matters and recommendations could save tens of billions more dollars and improve government services,” the GAO said in a summary of its report released this week.

The GAO issues annual reports on federal programs, agencies, offices, and initiatives that have duplicative goals or activities and also identifies additional opportunities for greater efficiency and effectiveness that could result in cost savings or enhanced revenue collection.

Fragmentation refers to instances when more than one federal agency (or more than one organization within an agency) is involved in the same broad mission and opportunities exist to improve service delivery and efficiency.  

Overlap occurs when multiple agencies or programs have similar goals, engage in similar activities or strategies to achieve them, or target similar beneficiaries. 

Duplication is when two or more agencies or government programs are engaged in the same activities or provide the same service to the same beneficiaries.

Some of the largest areas of financial benefit to the federal government and taxpayers from the GAO report include:

• Medicare Payments by Place of Service: Congress should consider directing the Secretary of HHS to equalize payment rates between settings for evaluation and management office visits and other services that the secretary deems appropriate, which could create financial benefits of $141 billion over 10 years, per Congressional Budget Office (CBO) data.
• Nuclear Waste Disposal: The Department of Energy may be able to reduce certain risks by adopting alternative approaches to treating a portion of its low-activity radioactive waste and create tens of billions of dollars in financial benefits in the process, per GAO data.
• Navy Shipbuilding: The U.S. Navy could improve its acquisition practices and take steps to ensure ships can be efficiently sustained and create financial benefits of billions of dollars, GAO data showed.
• Medicare Advantage: The Centers for Medicare & Medicaid Services could better adjust payments for differences between Medicare Advantage plans and traditional Medicare providers in the reporting of beneficiary diagnoses and create financial benefits of billions of dollars, per MedPAC data.
• Internal Revenue Service Enforcement Efforts: Enhancing the IRS’s enforcement and service capabilities can help reduce the gap between taxes owed and paid by collecting tax revenue and facilitating voluntary compliance. This could include expanding third-party information reporting, which could save billions of dollars, per Joint Committee on Taxation data.
• Congress could reauthorize the First Responder Network Authority by 2027 to ensure the continuity of the public-safety broadband network and collection of potential revenues of billions of dollars over 15 years, the report states.
• Foreign Military Sales Administrative Account: Congress should consider redefining what can be considered an allowable expense to be charged from the administrative account of the Defense Department which could create financial benefits of tens of millions of dollars annually, per GAO data.

The new additions to the report fall on top of the 1,885 that GAO has identified in prior reports. Of those, Congress and agencies have fully addressed 1,239 — about 66 % — of those existing items.

The post Government could save over $100B by reducing big overlaps, duplications, watchdog finds appeared first on FedScoop.

The program has so far helped streamline fraud identification within the more than one million transactions processed each day by the Centers for Medicare & Medicaid Services (CMS), according to the IT leader.

“They’re using tree based models and deep learning approaches and then they go and look at the medicare administrative claims data,” said Mathias during a AFCEA Bethesda Health IT event Wednesday.

“It’s still in a pilot phase but they’ve seen some success with this and they intend to keep growing it.”

The IT executive added that the AI systems being tested have an edge over current fraud detection systems because tree-based models allow faster identification of new types of criminal activity.

“As medicare fraud criminals figure out what’s being spotted by law enforcement, they keep changing their techniques, then this AI system figures that out and drops obsolete models based on that,” said Mathias.

Tree-based AI models use a decision tree to represent how different input variables can be used to predict a target value. Machine learning systems use tree-based models both for classification and regression problems.

Mathias said that HHS has also started using new AI technology to speed up counterfeit drug detection at the Food and Drug Administration (FDA) by using computer vision AI to tell whether a drug is authentic or fake. The technology can do so within seconds by evaluating wavelengths, which mitigates the need for a human to carry out a physical inspection.

Another branch of HHS, the National Institutes of Health (NIH), has also begun using AI automation when it comes to research grant proposal analysis and auditing. According to Mathias, the AI system has a 92% accuracy rate when it comes to accepting the appropriate grant proposals, thereby eliminating a key bottleneck for innovative research approval. 

The CIO added that the use of AI systems at NIH would ensure taxpayer dollars are used more efficiently.

The post HHS CIO Mathias says tree-based AI models helping to combat Medicare fraud appeared first on FedScoop.

Healthcare Management Solutions, LLC (HMS), a subcontractor of ASRC Federal Data Solutions, LLC (ASRC Federal), violated its obligations to CMS and potentially 254,000 of its 64 million Medicare beneficiaries whose personally identifiable and protected health information may have been exfiltrated, according to the agency.

President Biden issued an executive order in February 2021 in an effort to shore up agencies’ supply chains, after Russia-linked hackers breached federal contractor SolarWinds’ software supply chain  — compromising nine agencies. Supply chain attacks continue to increase, prompting multiple reviews by the Department of Homeland Security’s Cyber Safety Review Board.

“The safeguarding and security of beneficiary information is of the utmost importance to this agency,” said CMS Administrator Chiquita Brooks-LaSure in a statement. “We continue to assess the impact of the breach involving the subcontractor, facilitate support to individuals potentially affected by the incident and will take all necessary actions needed to safeguard the information entrusted to CMS.”

ASRC Federal resolves system errors related to Medicare beneficiary entitlement and premium payment records and supports premium collection from direct payers for CMS. Subcontractor HMS suffered a ransomware attack on its corporate network on Oct. 8, which it notified CMS of the next day.

After an initial investigation, CMS concluded on Oct. 18 its data that HMS handled was potentially compromised for some Medicare beneficiaries.

CMS continues to notify beneficiaries whose information may have been exfiltrated by letter that they’ll receive an updated Medicare card with a new Medicare Beneficiary Identifier, which also may have been compromised; free credit monitoring services; and incident updates.

No CMS systems were breached or Medicare claims data involved. But names, addresses, dates of birth, phone numbers, Social Security Numbers, Medicare Beneficiary Identifiers, banking information including routing and account numbers, and Medicare entitlement, enrollment and premium information were potentially compromised, according to the agency.

Affected beneficiaries are advised to destroy their old Medicare card upon receipt of the new one, contact their financial institutions and enroll in Equifax Complete Premier credit monitoring for free using the letter’s instructions.

“At this time, we’re not aware of any reports of identity fraud or improper use of your information as a direct result of this incident,” reads the letter sent to affected beneficiaries.

Healthcare Management Solutions was contacted for comment.

The post CMS subcontractor breach potentially exposes data of 254,000 Medicaid beneficiaries appeared first on FedScoop.

HHS disclosed initial details of the breach on its Office for Civil Rights (OCR) breach portal website, in which it noted that 1,279 individuals have been affected by the incident.

The OCR has law enforcement powers and is responsible for ensuring private and public sector compliance with information privacy and security laws. It can require organizations to take remedial action and in some cases issue fines.

Entities whose data governance is regulated by OCR include public and private sector organizations in three groups: health plans, health care providers and health care clearinghouses. Federal government organizations defined as covered entities under the legislation include Medicaid, Medicare and the Veterans Health Administration.  

Under the Health Insurance Portability and Accountability Act of 1996, covered entities are required to respond to a suspected breach within a defined timeline.

When an incident affects 500 or more individuals, the covered entity involved must notify HHS and the department secretary “without unreasonable delay,” and no more than 60 calendar days from discovery of the breach.

When a health data breach incident affecting fewer than 500 individuals is discovered, covered entities must still notify the HHS secretary but have within 60 days of the end of the calendar year in which the breach was discovered to do so.

OCR has a wide-ranging enforcement remit at HHS that focuses on ensuring compliance with the nation’s civil rights, conscience and religious freedom laws in addition to health information privacy and security laws.

An OCR spokesperson said: “Generally, OCR does not comment on open or potential investigations.”

A Defense Department spokesperson referred FedScoop’s query to HHS.

The post HHS Office for Civil Rights probes ‘hacking/IT incident’ at Defense Health Headquarters appeared first on FedScoop.

In a Dec. 4 letter, the lawmakers urge House and Senate leaders to use end-of-year legislation to permanently expand Medicare coverage of telehealth services.

The letter says Congress should permanently waive geographic restrictions on telehealth services, so that a beneficiary’s eligibility isn’t based on where they live. The lawmakers also want the telehealth services approved by the Centers for Medicare and Medicaid Services (CMS) to be available to all beneficiaries, not just some. Lastly, they call for legislation to permanently authorize Federally Qualified Health Centers and Rural Health Clinics to provide telehealth services.

“Congress needs to act now to better serve patients and health care providers during the pandemic, and to ensure that telehealth remains an option after the pandemic is over,” the letter reads. Sen. Brian Schatz, D-Hawaii, led the effort to circulate the letter on Capitol Hill.

Under the current expansion, there are three types of virtual services doctors can provide for Medicare beneficiaries: a telehealth visit that uses audio and visual technology for real-time communication, a brief patient-initiated virtual check-in typically conducted over the phone, or an e-visit through an online patient portal.

Providers must use “non-public facing” remote communication tools for those visits — such as Apple FaceTime, Zoom, Skype, or Google Hangouts — that only allow the intended parties to participate in the visit.

The lawmakers note that telehealth services have numerous practical effects, including reduced potential for COVID-19 transmission because fewer patients need to enter health care facilities. Additionally, telehealth increases a health care facility’s capacity overall and reduces the use of “scarce” personal protective equipment, the letter says.

“These actions would address the restrictions on originating sites that CMS has stated are the greatest barriers to the expansion of Medicare telehealth services as well as ensure that health centers can continue their pivotal role in providing health care in rural and underserved areas,” the letter reads.

The Coronavirus Preparedness and Response Supplemental Appropriations Act, 2020 and the Coronavirus Aid, Relief, and Economic Security Act increased access to telehealth services for Medicare beneficiaries, which resulted in a rapid acceleration of use. Before the pandemic, about 13,000 Medicare recipients used telehealth services in any given week. By the last week of April this year, it was 1.7 million recipients, nearly a 13,000% increase.

The expanded coverage is currently tied to the Covid-19 public health emergency declaration and is renewed in three-month increments.

The uncertainty of the long-term future of Medicare telehealth coverage has made it difficult for providers to fully invest in scaling up their operations, such as purchasing telecommunications equipment, training staff and updating electronic billing systems. These are high cost actions and “many organizations are not investing in all of these areas to optimize the use and availability of telehealth,” without knowing the longevity of the expanded coverage.

The post Medicare telehealth expansion gets bipartisan stamp of approval from lawmakers appeared first on FedScoop.

The agency is still setting up its “sandbox” for capturing claims data and making it useful to providers, but the system should be ready by mid-November, according to a CMS spokesperson. Only synthetic claims data is in the sandbox currently, but the plan is to allow a small number of providers production-level access to actual claims data to start.

With better access to Medicare data, health systems will be able to paint a more robust picture of patients’ health, the spokesperson said.

Seema Verma, administrator of the Centers for Medicare and Medicaid Services, announced the Data at the Point of Care (DPC) pilot in July. Part of the appeal is that participating providers won’t have to log into a traditional portal to access Beneficiary Claims Data. The project is using an application programming interface (API) instead.

Ease of use is important, given that the average physician sees between 500 and 1,000 Medicare patients a year, said Shannon Sartin, executive director of digital service at the Department of Health and Human Services.

Speaking at the VMware Public Sector Innovation Summit produced by FedScoop on Oct. 2, Sartin said she and Verma have worked closely the last two years to improve data interoperability.

“CMS has a ton of data on anybody who’s been a member of Medicare, so that’s nearly half the population,” Sartin said. “And we’ve really worked hard to develop models for sharing that data.”

Multiple doctors create data challenges

In the past, physicians’ knowledge of patients’ medical histories was based largely on the information the latter could recall on forms. That presents a challenge when many Medicare beneficiaries see multiple doctors at any given time and they’re expected to remember, say, the last time they were admitted to the emergency department or had a colonoscopy.

Claims data provides physicians with a blueprint of where all those records might be if they need to request them.

CMS’s endgame is an interoperable health system, meaning one that seamlessly moves usable data electronically from a patient or a care provider to other entities, allowed access under the Health Insurance Portability and Accountability Act, the agency’s spokesperson said. Rather than simply printing out the information, it’s transmitted directly into workflows.

Interoperability is a “complex, mostly nontechnical” problem closely tied with incentives, Sartin said.

“We’re actually incentivized to hold onto our data because we want to hold onto our patients,” she said. “For as much as we the general public think that services should be shoppable — or I should be able to go someplace else and take my data — that’s actually not in the incentive model at all in our health care system.”

For that reason, CMS is moving toward value-based health care and encouraging collaboration between providers — developing technology internally before attempting to regulate it, Sartin added.

As for its role, CMS sees itself as a major player building APIs and sharing data, the agency’s spokesperson said.

Prior to the DPC pilot, CMS developed the Blue Button 2.0 API in 2018 to share claims data directly with beneficiaries on the apps of their choice.

CMS isn’t alone in its quest for health data interoperability.

The Department of Veterans Affairs launched a pilot integrating all personal health data on iPhones with the Apple Health Kit. That way a doctor could view sensor data from a patient’s Apple Watch side-by-side with their medical record, said Joseph Ronzio, deputy chief health technology officer.

Making data from divergent sensors usable presents security challenges as well. So the VA is collaborating with the Institute of Electrical and Electronics Engineers on interoperable data standards and pushing analytics, Ronzio said.

“So instead of having to consolidate data in any one place, which obviously is a security risk … you can actually send out an analytic and get back the results,” he said.

The post Medicare data project gains momentum as CMS continues its push for interoperability appeared first on FedScoop.

The Data at the Point of Care (DPC) pilot will leverage the Beneficiary Claims Data application programming interface (API) so clinicians avoid logging into an application or portal for the information. The API pulls in claims data from all of patients’ Medicare histories, including services outside of their core group of providers.

DPC is part of the MyHealthEData initiative the White House Office of American Innovation launched last year to make Medicare data available to patients, researchers and accountable care organizations.

“Today’s announcement is a critical step in our efforts to change provider reimbursement and move toward value,” said Seema Verma, administrator for the Centers for Medicare and Medicaid Services, at the Blue Button Developers Conference on Tuesday. “Providers often struggle to have a complete picture of a patient’s medical history, including procedures, medications and preventative services.”

Blue Button 2.0 is an API allowing Medicare beneficiaries to securely connect their health care data to apps and other tools. Beneficiary Claims Data and Blue Button both use the Fast Healthcare Interoperability Resource standard to facilitate system interoperability and data sharing.

“The government already spent more than $36 billion to encourage the adoption of electronic health records, but it failed to make sure that the systems could actually talk to each other,” Verma said. “And now we’re left with a health care industry that still uses fax machines.”

Soon the White House will issue a final Interoperability and Patient Access Rule requiring all health plans regulated by the government to create their own version of Blue Button 2.0, she added. About 2,000 developers from 1,100 organizations use the synthetic data in the Blue Button sandbox, and 28 organizations have related apps in production, Verma said.

In the next six months, the White House will enhance Blue Button 2.0 to ensure patient confidentiality in the face of emerging threats and update terms of service with app developers, Verma said.

Current health privacy regulations don’t extend to most applications, and Congress hasn’t legislated the matter.

“So I call upon you to join us in making this a priority and to voluntarily use CMS’s privacy requirements,” Verma said. “Or I ask the industry itself to come up with standards so we can ensure patients’ trust.”

The White House also plans to give Medicaid data the MyHealthEData treatment later this year, she said.

Together Medicare and Medicaid account for nearly 24 percent of federal spending, and the Medicare trust fund will run out by 2026, Verma said.

“It’s a looming cost crisis that could destroy our economy,” she added. “And so far government solutions have not been able to solve this problem.”

The post Medicare claims data will be available to clinicians under pilot program appeared first on FedScoop.

Simply navigating the Medicare Plan Finder (MPF) page on Medicare.gov can be a challenge, the watchdog agency writes in a report published Tuesday. Getting through the various pages takes a long time, and users are unable to jump directly to the sections that cater to their needs.

And that’s just the beginning — once users finally reach the page to compare plans, they tend to struggle to understand what’s written there. Per a report by advocacy groups, “the website explains health coverage terminology poorly and does not use plain language,” GAO writes.

The current MPF page. (Screenshot)

Stakeholders interviewed by GAO also said the information on the website is sometimes incomplete with regard to cost and coverage. This makes it difficult for beneficiaries to truly decide what plan is best for their needs which, of course, is specifically what they came to the website to do in the first place.

But there’s good news ahead — the Centers for Medicare and Medicaid Services (CMS) is planning to launch a revamped MPF site this fall. The redesigned site will roll out in phases, CMS said, starting in early August and completing by the Medicare open enrollment period in October 2019.

“With the redesign, CMS plans to improve the navigation of MPF by providing more prominent explanations on how to use MPF; reducing the steps users must take to get to more detailed coverage information; configuring MPF so users can more easily switch between different topics inside MPF, such as switching between [Medicare Advantage] plan information and Part D plan information; and improving the filter and sort functions so users can narrow down their coverage options more quickly,” GAO states. “CMS also plans to make information easier to understand by simplifying and reducing the volume of information on the pages and revising frequently misunderstood terms with more user-friendly language.”

CMS told GAO it is soliciting user feedback on the redesign, which it hopes will help overcome the usability challenges that the legacy site suffers from.

The post CMS’s Medicare Plan Finder website is difficult to use, GAO says appeared first on FedScoop.

Commercial credit agencies have traditionally helped the government verify identities by asking personal questions from credit files, but the 2017 Equifax data breach has officials rethinking that process.

My Social Security uses knowledge-based verification before people can access their benefit status, replace Social Security or Medicare cards, or request services. But data stolen in the Equifax breach could be used to answer My Social Security’s personal questions.

Agencies could instead compare pictures of photo IDs submitted by mobile phone to documents on file, but not all people have a smartphone, according to a Government Accountability Office report released Friday.

In 2017, NIST effectively barred agencies from using knowledge-based verification for sensitive applications, but GAO said the guidance was insufficient in ensuring they adopted alternatives.

Agencies have argued alternatives present cost, convenience, technological, and equity barriers.

Of six agencies reviewed, only the General Services Administration and the IRS had eliminated knowledge-based verification for Login.gov and Get Transcript services.

GAO found the Department of Veterans Affairs still uses such questions for certain people, while SSA and the U.S. Postal Service indicated they want to reduce use but don’t have any plans to do so.

The Centers for Medicare and Medicaid Services have no plans to switch to alternatives.

“[U]ntil these agencies take steps to eliminate their use of knowledge-based verification, the individuals they serve will remain at increased risk of identity fraud,” reads the report.

GAO wants NIST to provide additional direction on how to successfully implement other methods like in-person identity proofing or verification of mobile device possession using carrier records. The new guidance should broach the advantages and disadvantages of different technologies and make recommendations, according to the report.

NIST officials had no plans for additional guidance at the time of review, GAO said, but the Department of Commerce agreed with the recommendations on NIST’s behalf — as did SSA, USPS and VA. The Department of Health and Human Services disagreed on CMS’s behalf arguing alternatives aren’t feasible for its clients like those using HealthCare.gov.

“The alternatives to knowledge-based verification proposed by GAO in their report are not suitable for certain populations served by CMS as they would create undue burden, create barriers to accessing federal services, or may be cost prohibitive,” HHS said in its comments. “For example, in-person for rural populations is not viable due to travel distance.”

HHS added it would continue to monitor for “potential effective” alternatives.

The Office of Management and Budget did not comment on GAO’s recommendation it require agencies to report their progress on identity-proofing processes outlined by NIST.

The post Report: Benefits agencies, lacking guidance, slow to abandon traditional identity verification appeared first on FedScoop.