Medicare and Medicaid Provider Payment Diversion Authority Failure Through EFT Authorization Requests Accepted Without Independent Verification of Submitting Entity Identity

Medicare and Medicaid provider enrollment assigns each participating provider a credential — a record establishing that a specific entity is authorized to receive program payments at a designated account. When a provider needs to change the account to which payments are directed, they submit an electronic funds transfer authorization request to the relevant payor. The payor processes the request, updates the payment destination, and future payments flow to the new account. The system is designed to be responsive to legitimate provider needs: practices change banks, consolidate accounts, update banking relationships. The update mechanism is a necessary operational feature of a payment system serving hundreds of thousands of enrolled providers.

The credential that authorizes a provider to receive Medicare and Medicaid payments does not encode the conditions under which an EFT change request is permissible. It encodes the provider's authorization to receive payment. The relying party — the payor processing the EFT change request — accepts the credential as establishing that authorization. What the credential does not establish, and what the payment system did not independently verify, is whether the entity submitting the EFT change request is the enrolled provider. That correspondence was assumed. It was not verified.

OIG's March 2025 report documented a fraud scheme in which individuals impersonating enrolled hospital providers submitted fraudulent EFT authorization requests to Medicare and Medicaid payors. Using information about enrolled providers — provider identifiers, organizational names, contact details available through public enrollment data — the actors constructed requests that appeared to originate from legitimate providers. Two-thirds of payors surveyed reported being targeted. The HHS Payment Management System, which processes grant disbursements across federal health programs, sustained millions in losses in 2023 when compromised email accounts were used to submit fraudulent EFT change requests that successfully redirected payments.

The scheme did not require the actors to penetrate enrollment systems, forge credentials, or compromise provider records. It required only that they assert the enrolled provider's identity through a submission channel that the payor treated as sufficient proof of correspondence. The enrolled credential did the rest. Once the EFT change request was accepted, payments were redirected. The enrolled provider's credential authorized the payment. The enrolled provider received none of it.

The enrolled provider credential establishes authorization to receive payment. It does not establish correspondence between the credential and the entity invoking it at the moment of an EFT change request. The payor processing the request accepted the asserted provider identity — transmitted through an email channel — as sufficient to authorize the account change. No independent verification confirmed that the submitting entity was the enrolled provider. The gap between credential existence and credential correspondence is the mechanism of failure.

This is a correspondence failure at the point of reliance. The credential was valid. The provider was enrolled. The authorization to receive payment was real. What was not verified — and what the payment system had no mechanism to verify — was whether the entity submitting the change request held any relationship to the enrolled provider whose identity it asserted. Email-based submission channels carry no cryptographic binding between the sender and the enrolled entity. A request that correctly identifies the provider is indistinguishable, at the point of processing, from a request submitted by the enrolled provider itself. The system had no way to tell them apart. It treated them as identical. They were not.

The fraudulent EFT requests succeeded not because the credential system was breached, but because the credential system was never asked to verify what it was being used to assert. The enrolled credential authorized payment to the enrolled provider. It did not authorize payment to whoever successfully claimed to be the enrolled provider through an unverified channel. That distinction was not encoded in the system. It was not enforced at the point of the EFT change request. The payment followed the assertion.

OIG issued recommendations in its March 2025 report targeting the verification gap at EFT authorization. The recommendations included enhanced identity verification requirements for EFT change requests, out-of-band confirmation procedures to verify that change requests originate from the enrolled provider, and review of submission channel controls across Medicare and Medicaid payment systems. The HHS Payment Management System implemented additional controls following the 2023 losses. As of the report's publication, two-thirds of surveyed payors had been targeted, and the structural condition — provider enrollment credentials accepted as proof of submitting entity identity without independent correspondence verification — remained present across the broader payment infrastructure.

• Two-thirds of Medicare and Medicaid payors surveyed by OIG reported being targeted by fraudulent EFT authorization schemes in which actors impersonated enrolled providers to redirect payments — the enrolled credential authorized payment; it did not verify who was invoking it
• The HHS Payment Management System sustained millions in losses in 2023 through compromised email accounts used to submit EFT change requests; the submission channel carried no cryptographic binding between the sender and the enrolled provider identity
• The fraud scheme required no breach of enrollment systems and no credential forgery — it required only that an actor successfully assert an enrolled provider's identity through a submission channel the payor accepted as sufficient proof of correspondence
• The structural condition is a correspondence failure at the point of reliance: the credential established that the provider was enrolled and authorized to receive payment; it did not establish that the entity submitting the EFT change request was that provider
• Out-of-band confirmation — independent verification that the change request originated from the enrolled provider through a channel separate from the submission channel — was not a standard requirement across the surveyed payors at the time of the OIG review
• The payment system had no mechanism to distinguish between a request submitted by an enrolled provider and a request submitted by an actor who correctly identified the enrolled provider; both produced the same output — a redirected payment