Why This Matters Health savings accounts (HSA) allow eligible people to save funds tax-free to pay for qualified medical expenses and can earn interest, be invested, and be carried into retirement. In 2023, HSAs held about $123 billion in assets. Some policymakers have raised concerns that wealthier people may use HSAs to accumulate tax-free savings and people with lower incomes may lack the funds to contribute. GAO Key Takeaways To open or contribute to an HSA, an individual must be enrolled in an HSA-eligible high-deductible health plan. These plans have relatively high deductibles, but often lower premiums and may be available to individuals through their employers, health insurance marketplaces, or issuers. Of the nine HSA providers we interviewed, eight focused their marketing efforts on employers, and all had at least one fee associated with their HSA that account holders may have to pay. In 2022, an estimated $43.6 billion in contributions and $25.4 billion in withdrawals were reported among the 16.5 million tax returns reporting HSA activity, according to Internal Revenue Service (IRS) data. Of the reported contributions, about 84 percent were from an employer or employee through payroll deductions, and 16 percent were from individuals directly to their HSAs. Of the reported withdrawals, over 97 percent were for qualified medical expenses; the remaining were for non-qualified expenses—such as groceries—that are subject to taxes. We found that, among individuals in plans with high deductibles, HSAs and similar medical expense accounts were more common among those with higher incomes, Asian or White individuals, those in excellent or very good health, and those with employer-sponsored plans.  Total Health Savings Account Contributions and Withdrawals by Type, 2022 Note: Internal Revenue Service data from 2022 was the most recent year available at the time of our review. How GAO Did This Study We obtained responses from nine HSA providers that varied by size and geography. We also reviewed information from federal agencies, including the IRS and Centers for Disease Control and Prevention, and from stakeholder groups, including those representing consumers and industry. For more information, contact John E. Dicken at dickenj@gao.gov.

What GAO Found Following Russia’s 2022 full-scale invasion, donors of recovery assistance, including the U.S., aimed to help Ukraine build a strong economy and stable democracy on a path to European Union membership. As of December 2024, donors reported having collectively committed more than $130 billion in loans and grants for these objectives. Donors linked their assistance to Ukraine’s implementation of reforms, such as governance for state-owned enterprises. From February 2022 through December 2024, the Department of State successfully facilitated interagency collaboration as it led early recovery planning for Ukraine but did not fully develop ways to measure progress toward U.S. goals or estimate costs for its assistance strategy. The strategy does not contain indicators for measuring progress toward strategic goals, though State officials said they intended to develop them. In addition, State had not determined the funding resources needed to achieve these goals. Doing so would give the U.S. information it needs to make the most effective use of any future recovery assistance it provides to Ukraine. Through December 2024, donors and the government of Ukraine (GoU) used a coordination mechanism called the Ukraine Donor Platform to support collaborative decisions and generate support for key recovery initiatives. These initiatives included financing and technical assistance to enhance Ukraine’s ability to prepare and implement recovery projects. Donors cited U.S. leadership during this period as critical for coordination and advancing initiatives. Ukrainian entities have been building a system for managing public projects and implementing reforms designed to strengthen institutions and spur economic growth, in support of recovery. However, effects of the war, such as population displacement, and continuing corruption risks may interfere with their efforts to manage recovery in an accountable and transparent manner. Municipalities Present Recovery Projects at the 2024 Ukraine Recovery Conference Why GAO Did This Study Ukraine, with support from the U.S. and other donors, has taken early steps toward recovery, despite the ongoing conflict. The World Bank estimated recovery could cost nearly $524 billion over 10 years. The U.S. reported committing more than $56 billion for Ukraine’s recovery from 2022 through 2024. However, the U.S. has paused some assistance amid changes to its foreign assistance priorities. GAO was asked to evaluate U.S. planning for assisting Ukraine’s recovery. This report examines, from February 2022 through December 2024, (1) U.S. and other donor goals for Ukraine’s recovery, (2) the extent to which U.S. government strategic planning and interagency collaboration for Ukraine’s early recovery incorporated best practices, (3) mechanisms for coordination among donors and the GoU, and (4) Ukrainian efforts to improve transparency and accountability, supporting recovery. GAO reviewed documents and interviewed officials from State and other federal agencies, the GoU, and other donors. GAO also conducted a site visit to Kyiv, Ukraine.

What GAO Found VA’s Veterans Benefits Administration (VBA) may require veterans filing disability claims to undergo medical exams to help determine eligibility. VBA relies on contractors to provide medical professionals, called examiners, to conduct most of these exams. Conducting quality exams is important because errors can result in costly rework and delays in processing claims. VBA’s Medical Disability Examination Office (MDEO), which oversees these contractors, has refined its oversight since its establishment in 2016. GAO’s 2024 and 2025 reports described MDEO’s oversight, including quality control techniques for preventing errors from occurring during exams, detecting any exam errors that did occur, and correcting errors and providing accountability. GAO’s prior work also identified opportunities to strengthen MDEO’s oversight of contracted exam quality. Specifically, GAO found (1) breakdowns in procedures for correcting the most frequent or complex problems with contracted exams, (2) incorrect financial incentive payments to contractors, and (3) a gap in feedback from examiners—a key stakeholder group. GAO made five recommendations across the following four areas. All five remain open as of November 2025. VA has partially addressed one and described plans to address the others. Contractor quality action plans analyze the cause of the most frequent exam errors and specify contractors’ corrective actions. GAO found that MDEO’s procedures for reviewing these action plans lacked certain steps, including verifying that contractors completed the corrective actions and assessing whether these actions improved exam quality. GAO recommended that MDEO improve its procedures by including these steps. MDEO has partially addressed this recommendation. Special Focused Reviews seek to identify and address exam quality issues in specific areas. GAO found that MDEO was behind schedule on reviews for the most complex issues, such as military sexual trauma. GAO recommended that MDEO adhere to the biennial schedule outlined in its procedures. Financial incentives are based on contractor performance, including exam quality. GAO found that MDEO had no written procedures for checking the accuracy of its calculations for these incentives, resulting in almost $2.3 million in overpayments to contractors in fiscal year 2024. GAO recommended that MDEO develop and use such procedures. GAO also recommended that MDEO recalculate all financial incentives and correct any errors. Examiner feedback provides a key perspective on issues affecting exam quality. GAO found that MDEO relied on contractors to relay examiner feedback. However, five of six examiners GAO interviewed said contractors did not always address their concerns, making it harder to provide high-quality exams. They said they would like to provide feedback directly to MDEO. GAO recommended that MDEO collect and address direct feedback from examiners. Fully implementing GAO’s five recommendations would help MDEO improve exam quality so veterans receive more accurate and timely benefits decisions. Why GAO Did This Study Contracted disability examinations provide critical information for determining veterans’ eligibility for benefits. In fiscal year 2024, contracted examiners conducted over 3 million disability exams, costing over $5 billion. This statement summarizes 1) MDEO’s processes for overseeing exam quality and 2) GAO recommendations for improving these processes. This statement is based on two GAO reports: GAO-24-107730 and GAO-25-107483. For those reports, GAO analyzed MDEO financial incentive data from April 2023 through September 2024. Also, GAO reviewed MDEO documents and interviewed MDEO officials, contractors, and six examiners selected from a randomized list of all examiners for variation in characteristics such as specialty and experience. Finally, GAO interviewed MDEO officials on steps taken to address GAO’s recommendations.

What GAO Found In September 2025, GAO identified 20 open recommendations under the purview of the Small Business Administration's (SBA) Chief Information Officer (CIO), from previously issued work. Each of these recommendations relates to a GAO High-Risk area: (1) Ensuring the Cybersecurity of the Nation or (2) Improving IT Acquisitions and Management. In addition, GAO has designated four of the 20 as priority recommendations. For example, GAO previously recommended that SBA fully define and document a process for ensuring that designated privacy officials are involved in assessing and addressing the hiring, training, and professional development needs of the agency with respect to privacy. Further, GAO recommended that SBA develop a project risk management strategy and risk mitigation plan for its newly deployed Unified Certification Platform. GAO also previously recommended that the agency complete annual reviews of its IT portfolio consistent with federal requirements. The CIO's continued attention to these recommendations will help ensure the secure and effective use of IT at the agency. Why GAO Did This Study CIO open recommendations are outstanding GAO recommendations that warrant the attention of agency CIOs because their implementation could significantly improve government IT operations by securing IT systems, identifying cost savings, improving major government programs, eliminating mismanagement of IT programs and processes, or ensuring that IT programs comply with laws, among others. For more information, contact Nick Marinos at marinosn@gao.gov.

What GAO Found In September 2025, GAO identified nine open recommendations under the purview of the Department of Labor (DOL) Chief Information Officer (CIO) from previously issued work. Each of these recommendations relates to a GAO High-Risk area: (1) Ensuring the Cybersecurity of the Nation or (2) Improving IT Acquisitions and Management. For example, GAO previously recommended that DOL update its policies to require the use of risk assessments to inform its security control tailoring process for its information systems, and to prioritize its plan of action and milestones. Further, GAO recommended that DOL fully implement event logging requirements per federal guidance. GAO also recommended that DOL complete annual reviews of its IT portfolio consistent with federal requirements. The CIO's continued attention to these recommendations will help ensure the secure and effective use of IT at the department. Why GAO Did This Study CIO open recommendations are outstanding GAO recommendations that warrant the attention of agency CIOs because their implementation could significantly improve government IT operations by securing IT systems, identifying cost savings, improving major government programs, eliminating mismanagement of IT programs and processes, or ensuring that IT programs comply with laws, among others. For more information, contact Nick Marinos at marinosn@gao.gov.

What GAO Found In September 2025, GAO identified 30 open recommendations under the purview of the Department of Education's (Education) Chief Information Officer (CIO), from previously issued work. Each of these recommendations relates to a GAO High-Risk area: (1) Ensuring the Cybersecurity of the Nation or (2) Improving IT Acquisitions and Management. In addition, GAO has designated one of the 30 as a priority recommendation. For example, GAO previously recommended that the Office of Federal Student Aid update its cost estimation guidance for its acquisition programs to incorporate the best practices called for in the GAO Cost Estimating and Assessment Guide. Further, GAO recommended that Education develop policies and procedures to gain assurance that Federal Family Education Loan lenders have appropriate security and privacy controls in place, and that these controls are regularly tested and monitored. GAO also previously recommended that the department fully implement all event logging requirements as directed by the Office of Management and Budget. The CIO's continued attention to these recommendations will help ensure the secure and effective use of IT at the department. Why GAO Did This Study CIO open recommendations are outstanding GAO recommendations that warrant the attention of agency CIOs because their implementation could significantly improve government IT operations by securing IT systems, identifying cost savings, improving major government programs, eliminating mismanagement of IT programs and processes, or ensuring that IT programs comply with laws, among others. For more information, contact Nick Marinos at marinosn@gao.gov.

What GAO Found Over the past 2 decades, the Department of Veterans Affairs (VA) has taken various steps to improve and address challenges related to its disability compensation program, such as reforming its appeals process. However, GAO’s prior work has shown that VA’s efforts to reform its disability compensation program have not consistently achieved the desired improvements. Underpinning many of the challenges are VA leaders and managers not fully using leading management practices. For example: Reform initiatives. GAO’s 2022 report found VA undertook 23 initiatives to reform the disability program from fiscal years 2017 through 2020. GAO’s closer look at five of them found VA did not consistently follow leading practices for effective reforms, such as establishing goals and involving key stakeholders. To address these shortfalls, GAO made eight recommendations (VA agreed or agreed in principle). As of October 2025, VA has addressed six recommendations and partially addressed the remaining two. One of these recommendations, which GAO deems a high priority for implementation, is for VA to develop and implement a policy describing the leading practices that VA officials should follow when undertaking initiatives to reform the program. Disability exams and training. High-quality disability exams and claims processor training play key roles in accurately determining eligibility and preventing fraud, costly rework, and processing delays. However, GAO’s prior work has identified challenges VA faces in these areas. Specifically, GAO’s 2024 and 2025 reports identified opportunities to strengthen VA’s oversight of the quality of exams provided by contracted medical providers (called examiners). For example, GAO found incorrect financial incentive payments to contractors. To address this and other shortfalls, GAO made five recommendations. All five remain open as of October 2025. VA has partially addressed one and described plans to address the others. GAO’s 2021 report highlighted shortfalls in VA’s management of training for claims processors, such as whether VA assessed training results. To address these shortfalls, GAO made 10 recommendations, with four remaining open as of October 2025. Program modernization. GAO’s prior work has identified various policy options proposed by others for modernizing VA’s existing disability benefits structure to reflect changing views about disability. For example, in 2012 GAO examined the opportunities and challenges of several policy options, such as providing integrated vocational services with transitional cash assistance. VA’s disability compensation program’s parameters are set forth in federal law. This statutory framework restricts the extent to which VA can reform its disability program, as there are certain actions VA cannot take without Congress amending the relevant laws. Addressing each of these longstanding challenges requires sustained leadership and would help ensure veterans receive accurate decisions and timely access to disability compensation. Why GAO Did This Study Veterans with injuries or illnesses incurred during their military service may receive monthly disability payments from VA. Veterans found eligible for disability compensation are entitled to cash benefits regardless of employment status or amount of income earned. In fiscal year 2024, VA provided over $163 billion in compensation to over 6.5 million veterans and their families. GAO’s prior work has highlighted longstanding challenges VA has faced, ranging from grappling with large numbers of claims and appeals to reexamining the existing disability benefits structure. These challenges can affect VA’s current efforts to provide veterans with accurate decisions and timely access to disability compensation. They can also affect its capacity to modernize disability compensation to best meet the needs of veterans with disabilities in the 21st century. As a result of these and other challenges, VA’s management of disability compensation claims has remained on GAO’s High-Risk List since 2003. This statement focuses on (1) VA’s longstanding challenges with managing changes to the disability compensation program, (2) challenges to ensuring the quality of decisions in the existing disability compensation program, and (3) policy approaches that disability commissions and others have raised for modernizing VA’s disability benefits structure. It is based on findings from prior reports from 2012 to 2025. For more information, contact Elizabeth H. Curda at curdae@gao.gov.

What GAO Found The 340B Drug Pricing Program (340B Program) requires drug manufacturers to sell outpatient drugs at discounted prices to covered entities—certain federal grantees and hospitals—to have their drugs covered by Medicaid. In the 10-year period between 2013 and 2023—when we last reported on the program—the number of covered entity sites more than doubled. 340B Program Covered Entity Sites by Type, 2013 and 2023 Note: Numbers are as of January 1 of each year and represent the number of covered entities and associated sites. GAO has identified numerous weaknesses in the Health Resources and Services Administration’s (HRSA) oversight of the 340B Program. HRSA has taken steps to address some of these weaknesses, including implementing five of 20 GAO recommendations. Most notably, in fiscal year 2012, in response to a GAO recommendation, HRSA implemented a systematic approach to auditing covered entities and now audits 200 covered entities a year. Over time, HRSA has made other changes to strengthen its oversight by establishing an annual recertification process and other program integrity checks. However, other weaknesses that GAO identified in HRSA’s audits and oversight remain unaddressed. For example: HRSA’s process for closing audits does not ensure covered entities have fully addressed any noncompliance identified. HRSA’s audits do not fully assess compliance with the program requirement that prohibits covered entities from subjecting manufacturers to duplicate discounts, in which drugs are subject to 340B discounted prices and rebates under the Medicaid program. HRSA’s oversight does not ensure only eligible hospitals participate in the program. HRSA did not concur with six of the 15 unimplemented recommendations GAO made to address weaknesses in HRSA’s oversight. HRSA concurred with the remaining nine recommendations, but the agency has expressed concerns that it lacks the necessary enforcement capability to implement some of them. HRSA has requested that Congress provide it with additional regulatory authority for the 340B Program. Why GAO Did This Study Covered entities can realize substantial savings through 340B Program price discounts and, according to HRSA, these savings can enable them to stretch federal resources to reach more eligible patients and provide more comprehensive services. Covered entities can provide 340B drugs to eligible patients regardless of income or insurance status and can generate revenue under the program when insurance reimbursement exceeds the 340B price paid for the drugs. HRSA is responsible for administering the program and overseeing covered entities’ compliance with program requirements. Program requirements include that covered entities must (1) prevent diversion of 340B drugs to individuals who are not eligible patients of the covered entities, and (2) avoid subjecting manufacturers to duplicate discounts. This statement provides an overview of GAO’s assessment of HRSA’s oversight of the 340B Program. This statement is primarily based on four GAO reports issued from 2011 through 2020 and on steps HRSA has taken to address GAO recommendations from those reports, as of February 2025. See GAO-11-836, GAO-18-480, GAO-20-108, and GAO-20-212. Those reports provide further details on our scope and methodology. For more information, contact Michelle B. Rosenberg at RosenbergM@gao.gov.

What GAO Found In June 2024, GAO identified 30 priority recommendations for the Internal Revenue Service (IRS). Since then, IRS has implemented five of those recommendations by designating a dedicated unit for addressing business identity theft fraud and assessing how online services may reduce taxpayer burden, among other things. In addition, GAO removed one recommendation related to reporting by third-party service providers, because it no longer warrants priority attention. In September 2025, GAO identified two additional priority recommendations for IRS, bringing the total number to 26. These recommendations involve the following areas: Managing agency transformation, Addressing the tax gap, Improving the taxpayer experience, Ensuring taxpayer data security, and Enhancing information reporting. IRS's continued attention to these issues could lead to significant improvements in government operations. Why GAO Did This Study Priority open recommendations are the GAO recommendations that warrant priority attention from heads of key departments or agencies because their implementation could save large amounts of money; improve congressional and/or executive branch decision-making on major issues; eliminate mismanagement, fraud, and abuse; or ensure that programs comply with laws and funds are legally spent, among other benefits. Since 2015, GAO has sent letters to selected agencies to highlight the importance of implementing such recommendations. For more information, contact Jessica Lucas-Judy at lucasjudyj@gao.gov or James R. McTigue, Jr. at mctiguej@gao.gov.

What GAO Found Digital activity from personal and government devices, online communications, and defense platforms such as ships and aircraft can generate volumes of traceable data, known as digital footprints. When these digital footprints are aggregated into a digital profile, they can threaten Department of Defense (DOD) personnel and their families, operations, and ultimately national security. Figure: Digital Activity Generates Digital Footprints That Can Be Aggregated into A Digital Profile GAO determined that three of five offices under the Office of the Secretary of Defense (OSD) have issued policies and guidance on the risks associated with the public accessibility of DOD’s digital information. However, the policies and guidance are narrowly focused, do not include all stakeholders, and do not include all relevant security areas. As a cross-functional governance body that includes stakeholders across DOD, the Defense Security Enterprise Executive Committee is well-positioned to lead a department-wide collaborative assessment of policies and guidance on digital footprint and profile risks. Without such an assessment, DOD will have difficulty in determining whether risks are being sufficiently managed within the boundaries of their legal authorities. Also, DOD will face ever-increasing threats to personnel privacy and safety, mission success, and national security. GAO also determined that 10 DOD components were not fully addressing two areas essential to reducing the risk of digital threats—training and security assessments. Nine of ten components’ training materials did not consistently train personnel on risks of digital information in the public across all relevant security areas. Eight of ten components did not conduct assessments of threats across the required security areas of force protection, insider threat, mission assurance, and operations security. Instead, most components focused assessment efforts solely on operations security. GAO developed the notional threat scenarios below to exemplify how publicly accessible information about DOD operations and its personnel introduces risks across multiple security areas. Risk to Personnel and Their Families This scenario illustrates how a malicious actor could use digital information purchased from data brokers or collected from the web to identify and harm DOD personnel and their families. Figure: Digital Footprints Can Be Aggregated to Expose DOD Personnel Data Risk to Operations This scenario illustrates how a malicious actor could use digital information—including DOD press releases, news sources, online activity, social media posts, and ship coordinates—to project the route of a vessel and disrupt naval carrier operations. When aggregated, this information could enable targeting the vessel with uncrewed systems or sabotaging the ship while in port. Figure: Digital Footprints Can Be Aggregated to Disrupt Aircraft Carrier Operations Why GAO Did This Study Massive amounts of traceable data about military personnel and operations now exist due to the digital revolution. Public accessibility of this data enables malicious actors to exploit critical information and jeopardize DOD’s mission and the safety of its personnel. Senate Report 118-58 and House Report 118-301 include provisions that GAO assess DOD’s efforts to mitigate national security risks and assess DOD components’ efforts to protect the digital footprint of DOD personnel. This report assesses the extent to which (1) OSD has taken action to reduce risks to DOD personnel and operations and (2) DOD components have conducted training and assessments to reduce risk to DOD personnel and operations. The report also describes security risks of publicly accessible data about DOD personnel and operations. GAO focused on actions taken by five OSD offices and 10 select DOD components with security responsibilities—the five services and five other cognizant components such as U.S. Cyber Command and Space Force. GAO reviewed policies and documentation from these offices and components, and interviewed agency officials regarding actions taken to reduce information about DOD and its personnel being publicly accessible.

What GAO Found For fiscal year 2023, the federal government and six selected states—California, Georgia, New York, Pennsylvania, Tennessee, and Texas—paid health insurance entities at least $1.6 billion in potential overpayments or fraud for duplicate health care coverage or benefits. The payments were made on behalf of approximately 500,000 individuals who were simultaneously enrolled across multiple states in Medicaid or the Children’s Health Insurance Program (CHIP) or receiving an advance premium tax credit (APTC) across multiple states. These payments were made on behalf of individuals to managed care organizations in the form of capitated payments for Medicaid and CHIP or to health insurance issuers through APTC. The $1.6 billion in potential overpayments identified in GAO’s analyses may be relatively small compared to the total enrollment numbers, outlays, and expenditures. However, they represent a significant amount of potential overpayments largely stemming from six selected states in GAO’s review. It is also likely that the counts and dollar figures GAO identified were partially attributable to COVID-19-related continuous enrollment conditions for Medicaid and some CHIP enrollees. Specifically, as a condition for receiving temporarily enhanced federal funding during the pandemic, states were required to keep Medicaid and some CHIP beneficiaries continuously enrolled unless an individual requested voluntary termination of eligibility, or the individual ceased to be a resident of the state. Nonetheless, the conditions did not prevent states from disenrolling individuals who were confirmed to no longer be state residents, and duplication of Medicaid, CHIP, or APTC benefits across states for individuals should not have occurred. Simultaneous Program Enrollment in Medicaid or CHIP for Six Selected States and APTC Nationwide for Fiscal Year 2023 Note: Individual counts may overlap between categories. The overall total reflects aggregated values after removing duplicate individuals across programs and states. Due to rounding, individual counts and dollar amounts may vary slightly from the totals. Marketplaces’ processes to identify and prevent simultaneous cross-state health care coverage or benefits are limited. Marketplaces do not have sufficient processes to identify and prevent simultaneous cross-state APTC benefits—such as preventing duplicate Social Security numbers from being used on multiple marketplace health plans simultaneously. Without designing sufficient processes to identify and prevent duplicate cross-state enrollment within the marketplaces, there is an increased risk that APTC benefits will be improperly paid to multiple health insurance issuers on behalf of the same individual. Additionally, marketplaces do not have processes to identify individuals receiving simultaneous cross-state Medicaid or CHIP coverage. Moreover, none of the marketplaces submit qualified health plan enrollment data, including APTC information, to the Public Assistance Reporting Information System (PARIS)—a data-matching service used to identify duplicate cross-state payments—or another data-matching system. Requiring marketplaces to submit such data would enable the Centers for Medicare & Medicaid Services (CMS) and state agencies to use the data to identify enrollee matches between APTC and CHIP or Medicaid, which could then be resolved to verify eligibility or terminate benefits, as appropriate. Most states Medicaid and CHIP agencies reported that they submit Medicaid and CHIP enrollment data to PARIS for data matching. However, the enrollment populations and frequency of interstate data matching varied among states for both Medicaid and CHIP. Some states exclude categories of enrollees from their submission, and some do not submit quarterly because it is not required. Until state Medicaid and CHIP agencies are required to submit enrollment data to PARIS or another data-matching system for interstate data matching on a frequent recurring basis, state Medicaid and CHIP agencies will continue to face greater risk of being unaware of potential instances of duplicate cross-state Medicaid and CHIP enrollment. Why GAO Did This Study Federally funded health care programs are susceptible to significant improper payments, including fraud. For example, for fiscal year 2024, the Department of Health and Human Services (HHS) estimated $4.9 billion in improper Medicaid payments for ineligible individuals. HHS’s CMS oversees three principal health care programs generally available for eligible persons under 65 years of age: Medicaid, CHIP, and the health insurance marketplaces, through which eligible individuals can purchase health insurance. To help pay for marketplace health insurance, federal law provides for a premium tax credit to individuals who meet certain income and other eligibility requirements. Individuals can choose to have the marketplace compute an estimated credit that is paid directly to their issuers on their behalf, known as APTC, which lowers their monthly premium payments. However, individuals are generally not eligible for APTC if they qualify for Medicaid or CHIP. Further, individuals should not be simultaneously enrolled in any of these programs in multiple states. GAO was asked to review issues related to duplicate health care coverage payments in Medicaid, CHIP, and APTC. This report (1) describes instances of payments made for duplicate Medicaid and CHIP coverage in selected states and potentially ineligible APTC benefits nationwide and (2) examines the extent to which CMS and states have designed processes to identify and prevent duplicate cross-state health care coverage in these programs. GAO conducted data matching of enrollment and payment data to identify duplicate payments made for Medicaid or CHIP in six selected states and APTC benefits nationwide. Among other factors, states were selected based on average monthly CHIP and Medicaid enrollment by state, number of individuals receiving APTC by state, state migration trends, and proximity to one another. GAO also conducted three nationwide surveys of state Medicaid agencies, state CHIP agencies, and state-based marketplaces.

What GAO Found DOD and others recognize that publicly accessible data presents a growing threat to the security and privacy of DOD personnel and their families, military operations, and national security. GAO developed multiple possible threat scenarios illustrating these risks. (See fig. 1 for an example.) Figure 1: Scenario of Threat Outcomes from Exposure of DOD Personnel Information Sources of the data making up the digital profile include: Online activity, such as web browsing and the use of social media Personal mobile devices that transmit location data and share data about the owner Data brokers that aggregate and sell data DOD press releases and other public communications Sensors that broadcast the location of military vessels Malicious actors could collect and analyze this readily available data to identify and harm DOD personnel or their families or track and disrupt DOD operations. While DOD has an established approach for managing security risks, it has not ensured additional actions to address the risks associated with this publicly available digital data. For example, DOD officials have issued some policy and guidance, administered training, and developed awareness campaigns related to the digital profile. However, there has been limited cross-departmental collaboration on this issue that spans all key DOD security disciplines. Further, DOD components have not consistently assessed the risks to their operations associated with the public accessibility of digital information. By taking additional actions, DOD has an opportunity to address these risks. Why GAO Did This Study Throughout the day, people—including DOD service members, employees, contractors, and family members— leave behind massive amounts of data through online activity that can be collected and aggregated by the public, data brokers, and malicious actors. All of this digital activity generates volumes of traceable information—also known as a digital footprint. Over time, multiple footprints can create a digital profile that can reveal potentially sensitive or classified information. GAO was asked to review the risks associated with this data and efforts DOD has made to address the associated risks. This testimony summarizes GAO’s pending report titled Information Environment: DOD Needs to Address Security Risks of Publicly Accessible Information and focuses on (1) risks of publicly available data about DOD personnel and operations, and (2) DOD’s approach to address security-related risks. To inform the report, GAO reviewed DOD documentation and information, analyzed publicly available data, and interviewed department officials. More detailed information on the scope and methodology of this work can be found in our report.