OIG audit: Grant payment system control gaps led to $7.8M in fraud

An HHS grant payment system did not have effective internal controls in place to prevent fraud, enabling bad actors to divert $7.8 million in grant funds from March 2023 through January 2024, an HHS Office of Inspector General, or OIG, audit found.

OIG launched an audit of HHS' Program Support Center (PSC) grant payment system, known as the Payment Management System, after it learned that fraudulent activity within the system had affected 10 grants awarded to seven HHS recipients. The HHS grant payment system is one of the largest in the federal government, having processed over $860 billion in grant payments in 2023 alone.

The bad actors gained access to PSC's payment system using fake grant recipient email addresses, the audit report stated.

Once they were granted access, the bad actors deleted legitimate users and requested that grant payments be disbursed to their own accounts. The bad actors proceeded to divert millions of dollars away from grant recipients.

OIG, which is responsible for investigating fraud, waste and mismanagement in HHS programs, set out to review PSC's risk management protocols, internal controls and cybersecurity controls to determine whether the system was properly protected at the time of the incident.

OIG found that before March 2023, PSC had not implemented effective internal controls, policies and procedures to prevent fraudulent transactions. What's more, OIG asserted that PSC failed to conduct risk management protocols to protect the widely used grant payment system.

Specifically, PSC failed to implement policies to effectively communicate fraudulent activity to key stakeholders in a timely manner. The first observed instance of fraud occurred in March 2023, when bad actors diverted $643,733 in grant funds. Although the grant recipient notified staff of the fraudulent activity, bad actors were still able to divert an additional $7 million over the course of nine months.

"PSC did not design and implement internal controls to escalate and disseminate information on fraudulent activity in the Payment System to PSC leadership, grant awarding agencies, and grant recipients," OIG stated.

"As a result, the Payment Management Services Director did not inform PSC leadership when notified of the initial series of fraudulent withdrawals in March 2023. Even after additional fraudulent withdrawals occurred and were detected from August through December 2023, the Payment Management Services Director did not inform PSC leadership."

It was not until January 2024 that a grant-awarding agency notified PSC leadership of fraudulent activity. At that time, PSC took action to implement updated controls and notify grant recipients of the incidents. However, millions in grant funds had already been diverted.

PSC leadership sent an email to grant recipients in March 2024 that notified grant-awarding agencies of an "identity-harvesting campaign." However, the email did not refer to specific incidents, nor did it ask users to notify PSC leadership of any inaccurate account information.

OIG noted that PSC's communications to grant recipients would have been more effective if they had provided more details about the fraudulent activity and encouraged them to verify their own account information.  

Overall, OIG found that PSC was particularly vulnerable to fraud because its system was "not conducive to implementing mitigating internal controls to protect the Payment System."

"PSC's actions to improve fraud risk controls are a step in the right direction; however, the mitigating controls PSC put in place after the fraudulent activity were not the result of a comprehensive fraud risk management process," the report noted.

"PSC generally has taken a reactive approach to address the fraud and loss instead of a proactive approach to implement strategies for addressing fraud risks. To more effectively protect the Payment System against sophisticated persistent threats, PSC's oversight, risk management, and mitigating controls protecting the Payment System need further strengthening based on a proactive approach to risk management and fraud prevention."

OIG recommended that PSC develop standard operating procedures that include fraud mitigation controls and implement a verification process for bank account changes. OIG also recommended that PSC conduct routine IT system vulnerability scans and mitigate payment system weaknesses in a timely manner.

PSC concurred with all of OIG's recommendations and said it was working to implement the suggestions.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.