The Government Accountability Office (GAO)’s latest report on Obamacare’s advance premium tax credit (APTC) program shows how easily the system can be gamed and how slow the federal government is to close loopholes.  The review found widespread fraud and abuse risks, more than a decade after the system launched and years after prior GAO warnings.  An APTC is essentially a government coupon associated with the Patient Protection and Affordable Care Act (Obamacare) that helps people pay their monthly Obamacare health insurance bill in advance.

The most striking numbers in the 26-page report are the huge pools of money that had “no evidence of reconciliation” or were linked to highly suspicious SSN usage.  When the GAO compared federal Marketplace data for plan year 2023 with IRS reconciliation records for tax year 2023, it “could not identify evidence of reconciliation ... for over $21 billion in APTC” tied to enrollees who had provided a Social Security number (SSN).  That amount represented about 32 percent of APTC paid on behalf of those enrollees that year.

The GAO’s preliminary analysis also found that in plan year 2023, around 60,000 SSNs that received APTC appeared in SSA’s death records, roughly 0.42 percent of all SSNs with subsidies that year.  To focus on the clearest problems, the GAO narrowed that group to about 26,000 SSNs in two categories and calculated that CMS “paid over $94 million in APTC for households with at least one match across these two scenarios.”

One set of cases showed more than 7,000 SSNs had a reported date of death before marketplace enrollment, yet marketplace records still matched the death file on the SSN plus name or birth information.  In the other, over 19,000 SSNs matched the death file only on the SSN, with different names and birth dates in the marketplace — patterns the GAO says “could represent synthetic identity fraud.”

Behind those numbers, auditors used a mix of large-scale data analytics and old-fashioned undercover work.  They pulled real enrollment and tax records, matched Marketplace SSNs against death files and IRS data, and evaluated how the Centers for Medicare & Medicaid Services manages fraud risk across a program that paid nearly $124 billion in subsidies for about 19.5 million people in plan year 2024.

Methodology

Investigators ran covert testing of the program, creating fake consumers with fictitious names, birthdays, and addresses.  They then paired those identities with SSNs that had never been used or did not belong to the applicant and watched what unfolded when those fake customers tried to get subsidized insurance.

The covert testing focused on the federal Marketplace for late 2024 and plan year 2025.  Investigators first filed four applications in October 2024, outside the usual open enrollment window, using a special low-income enrollment period.  The GAO says, “The combined total amount of APTC paid to insurance companies for all four fictitious enrollees was about $2,350 per month.”

For plan year 2025, the GAO expanded testing to 20 fictitious applicants, including the original four.  The Marketplace initially approved 19 out of 20 for subsidized coverage.  One application was dropped when the assisting broker stopped responding, and one enrollee later lost coverage after the GAO refused to supply requested documentation.  As of September 2025, however, 18 fictitious enrollees were still receiving subsidized coverage, with combined APTC “over $10,000 per month.”

The GAO notes that these test cases are not statistically representative of all enrollees but are consistent with similar undercover work conducted for the 2014–2016 coverage years, indicating that basic weaknesses in identity verification, document verification, and income checks have persisted for nearly a decade.

Targeted fixes

CMS has responded with targeted fixes.  Starting in 2024, the agency required “verifiable SSNs on applications submitted ... through [enhanced direct enrollment] systems,” an attempt to stop agents and brokers from pushing through policies using bogus or stolen numbers.  Agents and brokers are paid by insurers rather than by CMS and therefore have strong incentives to maximize enrollments.  Most federal Marketplace enrollments now involve agents or brokers through private enrollment pathways.

In July 2024, CMS began blocking plan changes by agents or brokers who were not already associated with an enrollee’s coverage unless the consumer participates in a three-way call with the Marketplace Call Center and the new agent, a safeguard meant to prevent account takeovers behind the scenes.

CMS also ended the low-income special enrollment period that the GAO used in its 2024 undercover tests.  As of August 25, 2025, consumers can no longer qualify for year-round enrollment simply by self-attesting to income below 150 percent of the federal poverty level, closing an easy on-ramp that fraudsters and aggressive brokers could exploit.

But the GAO concludes that CMS’s overall fraud-risk framework has not kept pace with the money at stake.  CMS last performed a fraud risk assessment for APTC in November 2018 and has not updated it despite major shifts in program size and controls.  At that time, CMS estimated APTC outlays at just over $53 billion; by 2024, the figure had climbed to nearly $124 billion.  CMS documented its findings in a fraud-risk profile but, according to GAO, “did not develop a formal antifraud strategy for APTC” that ties specific controls to the highest-priority risks.

How does APTC work?

The customer buys a health plan on Healthcare.gov or a state Obamacare “Marketplace.”  The government then relies on what the individual predicts his income will be for the coming year.  If that estimate is low to middle income, he qualifies for help — and the lower the income, the bigger the subsidy.  Instead of paying him, the government sends monthly APTC payments straight to the insurer, cutting the premium, sometimes to almost nothing.

At tax time, the enrollee is supposed to settle with the IRS.  The IRS compares how much APTC it paid during the year with how much he actually should have received based on final income.  If the subsidy was too high, he owes money back; if it was too low, he gets a refund.

What could possibly go wrong?  Plenty, the GAO suggests.

Self-reported future income.  If no one checks the estimate up front, fraudsters can understate income to get larger subsidies — or claim income so low that coverage is nearly free.  The government can end up paying all year on bogus numbers.

Assumes tax filing and enforcement.  If people don’t file, or enforcement is weak, the government has already paid the insurer and has little chance of clawing the money back.  Fraudsters can simply never reconcile and walk away with free coverage.

Payments go straight to insurers.  The person whose name or SSN is used never sees the funds, so the fraud is less obvious.  Someone can enroll you without consent, collect broker commissions, or use your identity for coverage.  Many victims notice only at tax time or when a confusing letter arrives.

SSN-based system.  Fraudsters can use stolen SSNs or build synthetic identities (fake name and birth date with a real SSN) and reuse numbers across applications if the system doesn’t block duplicates.

Broker incentives.  Because agents and brokers are paid per enrollee, they can profit by churning people through policies — enrolling them without consent, switching plans to trigger new commissions, or tweaking income to boost subsidies.  CMS’s three-way call rule is meant to put the consumer back in the loop.

Complex rules and weak understanding.  The rules are dense and enforcement uneven.  Many people don’t realize they must reconcile at tax time or report mid-year changes, giving fraudsters room to operate.

Scale.  APTC’s size, tens of billions of dollars, and millions of records make it a prime target.  No one can manually review every file.  If automated checks are incomplete or outdated, as the GAO’s repeated successes with fictitious SSNs suggest, fraud and abuse can flourish in the background.

Image: Gage Skidmore via Flickr, CC BY-SA 2.0.