In a newly released report, the Treasury Inspector General for Tax Administration concluded that the system for calculating subsidies for individuals to purchase insurance through President Obama's health care law didn't have adequate measures in place to minimize security risks and prevent fraud.
Failure to address the issues could result in tax fraud and the issuance of “erroneous refunds,” the report warned.
The IG, the official watchdog for the Internal Revenue Service, issued the report on Sept. 27, days before the rocky Oct. 1 launch of Obamacare's insurance exchanges. It was first made public Tuesday.
As part of the health care law, individuals earning up to about $46,000 may qualify for subsidies toward the purchase of insurance. When an individual visits a health exchange website to shop for insurance and offers personal information, behind the scenes, a data hub developed by the Department of Health and Human Services must interact with IRS computer systems to calculate subsidies.
But the IG report said the systems did not meet security standards.
“(D)uring the Security Control Assessment, some critical (Affordable Care Act) infrastructure components included in the 12 security controls failed because they did not contain the appropriate baseline configurations and mandatory configuration settings as required by the National Institute of Standards and Technology and Internal Revenue Manual guidelines.”
The IG report noted, “We requested additional information on the corrective actions for the failed test controls. However, IT Cybersecurity organization management could not provide documentation to verify the corrective measures during our audit fieldwork. As a result, we are concerned that known risks associated with component misconfigurations might not have been mitigated for the (Premium Tax Credit) Project.”
“Premium tax credit” is a more formal name for the subsidies to help lower-income individuals purchase insurance.
The IRS disagreed with the IG call for an “action plan,” but the IG countered that it was “needed to ensure that the IRS is addressing the vulnerabilities in information systems that can be traced to software flaws and misconfigurations of system components for the (Premium Tax Credit) Project and across other information technology projects being developed by the ACA Program.”
Furthermore, the IG warned that there weren’t enough measures in place to guard against individuals taking advantage of the health care law to perpetrate tax fraud.
“Without a fraud detection and mitigation strategy, the ACA Program may not have assurances that ACA systems adequately address emerging fraud control requirements,” the report read. “Further, without adequate fraud mitigation controls, the IRS may be unable to identify ACA refund fraud or schemes prior to the issuance of erroneous refunds.”
In a statement published by Bloomberg, the IRS insisted that its security measures have improved since the IG completed its audit.
“The IRS has a strong, effective system in place for administering the premium tax credit,” Bloomberg quoted IRS Commissioner Danny Werfel as saying.