The most consequential data-quality failures occurred where Medicaid agencies transitioned information from operational systems or partner organizations into formal financial reporting without a complete reconciliation. Across 18 reports and 26 supplied findings, auditors repeatedly identified missing records, invalid data transfers, unverified payment submissions, and late or incomplete reporting of identified overpayments.
The evidence includes large, separately reported improper amounts: a multi-state federal review found a net $61.8 million underreporting of the federal share of certain Medicaid collections, while North Carolina should have reported and returned $41.4 million in Medicaid overpayments for 12 Medicaid Fraud Control Unit (MFCU) cases in fiscal years 2020–2021. In North Carolina, some cases were omitted from reporting, while others were reported outside required timeframes. These figures should not be combined with each other or with other amounts because they concern different populations and reporting periods. [Report 44] [Report 55]
The recurring pattern is less about a single faulty report than about weak control points between source data, processing systems, and oversight reporting. The highest-priority audit targets are reconciliations of MFCU cases to Form CMS-64 reporting, federal-share calculations, overpayment classification and timeliness, managed-care pharmacy-payment reporting, eligibility-system edits, and the interfaces that move claims and electronic visit verification data into oversight records.
In Medicaid, reports and data submissions drive federal claiming, payment recovery, eligibility determinations, managed-care oversight, and program-integrity measurement. A missing case file, an invalid procedure-code combination, or a late report can therefore have consequences beyond a flawed spreadsheet: it can obscure a recovery, sustain inaccurate eligibility, or prevent an agency from validating what it paid.
The audits reviewed here show several ways the risk appears in practice. Source service logs may not reconcile to claims; a system may accept incomplete or inaccurate eligibility inputs; a pharmacy benefit manager (PBM) may aggregate Medicaid and non-Medicaid data in a way that prevents validation; or an identified overpayment may not reach the reporting process promptly or in the correct form.
This review uses 18 Medicaid audit reports and 26 supplied findings published from 2018 through 2025. The detailed findings come from 11 of the 18 scoped reports and include state audits, U.S. Department of Health and Human Services Office of Inspector General (HHS-OIG) reviews, and a U.S. Government Accountability Office (GAO) review.
Direct evidence consists of the auditors’ documented findings and recommendations. Dollar figures are presented only where the underlying analysis classifies them as identified improper amounts or payments reviewed. Broader Medicaid program conditions and unquantified downstream effects are not treated as financial losses.
Claims, electronic visit verification, and managed-care submissions often lacked independent completeness checks
This is the broadest pattern, supported by three reports across Kansas, New York, and Illinois. The common weakness was failure to reconcile operational records to the data used for payment or oversight.
The Kansas Office of the Medicaid Inspector General’s School-Based Fee-for-Service Medicaid Reimbursements audit found 203 missing claims across two local education agencies (LEAs). One LEA missed 10 months of claims, or 40% of the audit period, while another missed seven months, or 28%. The audit linked the omissions to under-billing and called for reconciliation of logs, claims, and individualized education programs. [Report 82]
New York’s Comptroller found that electronic visit verification (EVV) records were not consistently copied from the EVV History Table to the EVV Crosswalk Table and included procedure-code/modifier mismatches and invalid combinations. Illinois’s Auditor General separately found that the state agency had not performed on-site reviews or verified the accuracy of reported managed-care organization (MCO) payment data. [Report 103] [Report 23] Together, these audits show that submitted data cannot be assumed complete merely because it exists in a reporting system.
Eligibility systems and long-term-care reports remained vulnerable to incomplete inputs and delayed corrections
Supported by two reports in Illinois and Oregon, this theme shows how data-quality defects can originate during eligibility processing and persist into management reporting. The key risk is that systems may capture required fields without ensuring that the underlying values are accurate, current, or fully reflected in reports.
The Oregon Secretary of State’s The Oregon Eligibility System Appropriately Determines Eligibility, But Input Errors Continue to Occur found that automated controls did not adequately govern input accuracy outside required-field checks. Testing identified residency and income errors, including 156 residency-related instances in which a change should have ended eligibility and 29 cases in which workers did not rerun eligibility after a residency change. [Report 87]
Illinois’s Auditor General found internal-control and data-completeness issues in the Integrated Eligibility System, including incomplete tracking of extensions and disability status. Its Performance Audit of Medicaid Eligibility Determinations for Long-Term Care also found inaccurate and incomplete long-term-care reports, missing elements, and posting delays. [Report 35] The combined lesson is that eligibility-data reliability depends on both transaction edits and controls that ensure report production is complete and timely.
Governance problems weakened the credibility of oversight reporting before it reached decision-makers
This is a two-report, state-and-national body of evidence: one Utah audit and one national GAO review. It does not establish a uniform national condition, but both reports point to weaknesses in the governance needed to make oversight information reliable and usable.
The Utah Office of the Legislative Auditor General’s A Performance Audit of the Office of Inspector General of Medicaid Services found that elements of external reporting lacked accuracy and transparency. The audit called for formalized reporting processes, accurate and complete metrics, and documented assumptions and methodology for any cost-avoidance measure. [Report 125]
GAO’s national Medicaid Managed Care Improvements Needed to Better Oversee Payment Risks identified challenges in program-integrity oversight involving resource allocation, data quality, and policy adequacy. [Report 28] Taken together, the reports suggest that agencies should examine not only data fields and calculations, but also who owns a metric, how its methodology is approved, and whether oversight functions have sufficient audit access.
This detailed, single-state audit contained five findings and material noncompliance. The principal weakness was the absence of a controlled reconciliation between MFCU-determined overpayment cases and the agency’s Form CMS-64 reporting and federal-share return process.
HHS-OIG’s North Carolina Did Not Report and Return All Medicaid Overpayments for the State’s Medicaid Fraud Control Unit Cases found that the agency relied on the MFCU to provide case files and overpayment information but lacked procedures to ensure all files were transmitted. The MFCU was also unaware that reporting could be required even if no payment occurred. [Report 55]
For fiscal years 2020 and 2021, the agency should have reported MFCU-determined overpayments totaling $41,383,314 for 12 cases, including a $27,495,987 federal share. Seven cases totaling $30,352,630 were not reported and returned; five cases totaling $11,003,651 were not reported and returned within required timeframes, with one case counted in both categories. [Report 55] This is a clear example of how an incomplete handoff process can create both completeness and timeliness failures.
Based on one detailed Texas managed-care audit, this theme concerns transparency rather than a documented improper-payment total. When reported pharmacy expenses do not reflect final amounts retained by providers, agencies cannot readily validate data used for rate setting and rebates.
The Texas State Auditor’s Office found that Blue Cross Blue Shield of Texas reported $26.4 million in fiscal-year 2018 pharmacy expenses that did not reflect funds pharmacies were required to return to the PBM. The return-of-funds approach used an effective-rate methodology that aggregated Medicaid and non-Medicaid claims, limiting price transparency and complicating validation. [Report 7]
The same audit found that encounter data omitted returned funds and that the PBM methodology did not identify the portion attributable to STAR Kids or other Medicaid programs. Although the audit reported $109.1 million in accurately supported STAR Kids medical expenses, that amount is payment volume, not a loss estimate. [Report 7] The risk is that financial reporting may appear complete while the data needed to validate final pharmacy payments is unavailable.
This is a distinct single-report Colorado finding. It matters because eventual reporting does not eliminate the compliance and financial consequences of reporting outside required timeframes.
The Colorado HHS-OIG audit found that $12,711,166 in Medicaid overpayments was reported, but not reported timely, during the October 2014 through December 2020 review period. The associated federal share was $8,465,227. [Report 98]
This finding is analytically separate from the $673,686 federal-share amount associated with unreported cases and should not be added to it without an overlap assessment. [Report 98] It reinforces the need for aging reports, escalation thresholds, and documented resolution of overdue reporting items.
The recurring control failure is broken data lineage. Information moved from MFCUs, providers, PBMs, eligibility workers, or operational systems into formal oversight reporting without a reliable mechanism to prove that the population was complete, the data was valid, and exceptions were resolved.
Weaknesses compound one another. Missing claims reduce payment-data completeness; invalid EVV records undermine the service record behind claims; incomplete eligibility inputs can affect both determinations and downstream reports; and poorly controlled recovery workflows can transform a valid overpayment identification into an omitted, misclassified, or late federal return.
The Oregon and Colorado audits indicate a need for system-enforced validations, exception queues, supervisory review evidence, and independent reconciliations. They do not establish that training was attempted and proved insufficient. [Report 87] [Report 98]
The strongest quantified amounts are auditor-identified improper reporting amounts, but they describe separate populations and periods and must not be summed into a headline total.
- Identified improper amounts: HHS-OIG found a net $61,792,714 federal-share underreporting across 12 of 13 selected states during the increased COVID-19 FMAP period. [Report 44]
- Identified improper amounts: North Carolina should have reported MFCU-determined overpayments totaling $41,383,314 for 12 cases in fiscal years 2020–2021; the reported federal share was $27,495,987. Omitted and late cases partially overlap. [Report 55]
- Identified improper amounts: Colorado had $673,686 in federal share associated with unreported overpayments in 80 of 403 reviewed cases, and separately reported $12,711,166 in overpayments late. [Report 98]
- Payments reviewed, not loss estimates: Texas reported $26.4 million in pharmacy expenses that did not reflect final pharmacy payments and $109.1 million in supported medical expenses for fiscal year 2018. These figures describe reported payment amounts, not identified improper payments. [Report 7]
- Reconcile the full MFCU overpayment population to agency receipt, recovery, Form CMS-64, and federal-return records; test omissions, late reports, and unresolved differences. Derived from source-audit recommendations. This directly addresses North Carolina’s incomplete case-file transfer and reporting process. [Report 55]
- Recalculate the federal share for sampled Medicaid collections using the applicable FMAP; reconcile inputs, outputs, submitted reports, and corrections. Derived from source-audit recommendations. This tests the calculation failure identified in the multi-state COVID-19 FMAP review. [Report 44]
- Trace a risk-based sample of overpayments from identification through recovery, feeder-form selection, interest treatment, CMS-64 reporting, and federal return. Derived from source-audit recommendations. Prioritize older, high-dollar, and overdue cases. [Report 98]
- Reconcile MCO financial statistical reports and encounter data to PBM remittances, returned funds, and final pharmacy-payment records; test whether Medicaid amounts are separable from other lines of business. Derived from source-audit recommendations. [Report 7]
- Test eligibility changes involving residency, income, household composition, disability status, and extensions for system edits, required reruns, and accurate long-term-care reporting. Derived from source-audit recommendations. [Report 35] [Report 87]
- Perform recurring reconciliations among service logs, claims, EVV history and crosswalk tables, code/modifier reference lists, and MCO payment submissions. Derived from source-audit recommendations. Investigate missing months, rejected records, invalid codes, and unmatched items. [Report 23] [Report 82] [Report 103]
- Test external program-integrity metrics for documented sources, calculations, assumptions, review evidence, and disclosed limitations; assess whether audit-access or staffing constraints limit coverage. Derived from source-audit recommendations. [Report 28] [Report 125]
- Can the agency demonstrate that every MFCU-determined overpayment case reached the CMS-64 reporting workflow, including cases without an immediate payment?
- Which reports rely on manual calculations, manually maintained reference tables, or data transfers without automated completeness checks?
- Are overdue overpayments visible in an aging report with assigned owners, escalation dates, and evidence of resolution?
- Can the agency trace reported MCO and PBM pharmacy expenses to final provider-retained amounts and isolate Medicaid activity from other lines of business?
- Which eligibility changes should force a rerun, and does the system technically enforce that requirement?
- Who certifies the methodology and completeness of external program-integrity metrics before publication?
This review draws on 18 of the 108 active reports in the database, covering California, Florida, Illinois, Kansas, Massachusetts, New Jersey, New York, Oregon, Texas, Utah, and federal reviews, published from 2018 through 2025. Detailed findings were supplied for 11 scoped reports.
The scoped findings are not statistically representative of all Medicaid programs. Several themes are based on one detailed audit, while the claims, EVV, and MCO-data theme spans three reports. Financial amounts are presented separately because available data does not establish overlap relationships sufficient for aggregation.
Evidence register
Sources referenced
- Report ID
- REPORT 7
- Report ID
- REPORT 23
- Report ID
- REPORT 28
- Report ID
- REPORT 35
- Report ID
- REPORT 44
- Report ID
- REPORT 55
- Report ID
- REPORT 82
- Report ID
- REPORT 87
- Report ID
- REPORT 98
- Report ID
- REPORT 103
- Report ID
- REPORT 125