Why It Matters
The federal health insurance marketplace is failing to protect millions of consumers from unauthorized actions by agents and brokers.
A new Government Accountability Office report released July 13 reveals that at least 160,000 federal Marketplace applications in plan year 2024 had likely unauthorized changes, with consumer complaints about unauthorized enrollments and plan switches growing more than fourfold between 2023 and 2025. According to GAO, the Centers for Medicare & Medicaid Services (CMS) lacks sufficient safeguards to verify that consumers consent to actions taken by agents and brokers on their Marketplace accounts.
Millions of consumers rely on health insurance marketplace agents and brokers to purchase plans through federal and state Marketplaces established by the Affordable Care Act. When those agents and brokers operate without proper oversight, consumers can find their plans switched without their knowledge, their personal information accessed by unauthorized parties, or their accounts manipulated for the financial benefit of the agent. Recent federal fraud cases have highlighted concerns about certain agents and brokers in the federal Marketplace making unauthorized enrollments and plan changes to receive compensation from health plan issuers. The GAO report makes it clear that the current efforts by CMS to control these actions is insufficient.
How Health Insurance Marketplace Controls Have Failed
CMS requires agents and brokers to be licensed and registered before assisting consumers, and the agency conducts routine validation checks to ensure they meet those requirements. It also restricts system access to registered agents and brokers only. However, these baseline protections mask deeper vulnerabilities in how the agency handles consumer consent and account access.
CMS does not restrict access to consumer Marketplace records to the agent or broker already associated with a consumer's enrollment, meaning any registered agent can potentially access any consumer's information. Equally troubling, CMS does not inform consumers of all agent or broker actions taken on their accounts. Consumers may have no idea that someone has accessed their file, switched their plan, or made changes to their enrollment.
CMS attempted to address this in 2024 by implementing new procedures to better ensure agents and brokers obtain consumer consent prior to certain actions. But the 2024 procedures do not prevent all unauthorized actions because they are not always used and CMS takes limited steps to confirm the identity of the consumer. In other words, the safeguards exist on paper but lack teeth in practice.
What the GAO Found
The GAO's forensic audits and investigative service examined the federal Marketplace and selected state-based Marketplaces to understand the scope of the problem and identify what works.
The report found that at least 160,000 federal Marketplace applications in plan year 2024 had likely unauthorized changes. That number alone represents a massive failure of consumer protection. It also found that consumer complaints of unauthorized enrollments and plan switches grew more than fourfold from 2023 through 2025, meaning the problem is not stable or contained, but accelerating.
When GAO examined three selected state-based Marketplaces, California, Georgia, and New Mexico, it found they have controls that go beyond those used by CMS. These states require one-time passcodes to verify consumer consent, a straightforward technical measure that dramatically reduces the risk of unauthorized actions. The report showed that states operating their own Marketplaces have figured out how to protect consumers more effectively than the federal government.
What CMS Says It Will Do
When presented with these findings, CMS told GAO it is exploring options to potentially implement new controls for the open enrollment period for plan year 2027. But CMS had not yet made decisions regarding any new controls at the time of the GAO report was published. That timeline matters. Consumers will continue to face risk throughout 2026 and into 2027 while CMS deliberates.
The agency did concur with both GAO recommendations, which is a positive sign. However, concurrence is not the same as action. Both recommendations remain open, meaning CMS has not yet implemented them.
What GAO Is Demanding
The GAO made exactly two recommendations, both directed to the Administrator of CMS.
The first calls on CMS to design and implement stronger controls to verify consumer consent to agent and broker actions on consumer enrollments, restrict access to consumer information to the agent of record, and notify consumers of agent and broker activity on their federal Marketplace enrollments. GAO suggests that stronger controls could include use of a one-time passcode, similar to what California, Georgia, and New Mexico already use. The agency could also limit the amount of consumer details that agents and brokers who are not the agent of record can see when conducting a person search.
The second recommendation calls for CMS to periodically review the relevance and effectiveness of the controls it implements, ensure consumers authorize and are informed of agent and broker activity on their federal Marketplace enrollments, and make changes as appropriate based on those periodic reviews. In essence, GAO is telling CMS to build a feedback loop that keeps safeguards current as bad actors find new ways to exploit the system.
The Scope of the Problem
GAO's investigation involved interviews with organizations representing agents and brokers, state insurance regulators, and consumers. The agency reviewed documentation from officials at the three state-based Marketplaces. The resulting 33-page report is grounded in direct investigation, not speculation. The forensic audits and investigative service identified actual patterns of fraud, not theoretical vulnerabilities.
The unauthorized actions are not random. Recent federal fraud cases have highlighted a clear motive, with certain agents and brokers in the federal Marketplace making unauthorized enrollments and plan changes to receive compensation from health plan issuers. When an agent switches a consumer to a plan, the agent may receive a commission. The consumer loses choice and control; the agent gains money and CMS's weak controls have made this scheme possible.
What Comes Next
CMS has indicated it may implement additional safeguards for plan year 2027. Until new controls are adopted, GAO said consumers remain vulnerable to unauthorized activity on their federal Marketplace accounts. The report provides Congress and CMS with recommendations intended to strengthen oversight and better protect consumers.
Access the Legis1 platform for comprehensive political news, data, and insights.
Spot something wrong? Report an issue with this article