Why it Matters

More than 19 million consumers are enrolled in health insurance plans through federal and state Marketplaces established by the Affordable Care Act, according to a new Government Accountability Office (GAO) report published July 13. The report found that health insurance agents and brokers operating within the federal Marketplace have been able to exploit weak security controls to enroll consumers without their knowledge, switch their coverage plans, and access detailed personal information using only a name, date of birth, and self-attested consent.

GAO's Centers for Medicare & Medicaid Services (CMS) review found that at least 160,000 federal Marketplace applications in plan year 2024 had likely unauthorized changes, a figure GAO first reported in December 2025 based on ongoing investigative work. Consumer complaints tied to confirmed unauthorized enrollments and plan switches grew more than fourfold between 2023 and 2025.

The Big Picture

Any of the roughly 96,000 agents and brokers registered with the federal Marketplace can access a consumer's full enrollment record, including income data and partial Social Security numbers, by entering just a name and date of birth plus a self-attestation of consent. CMS does not verify that consent was actually obtained, and it does not notify consumers when their records are searched, their enrollment changes, or their agent of record is switched.

When GAO tested CMS's three-way verification calls, a safeguard meant to confirm consumer identity, researchers found brokers could still submit applications for fictitious consumers with invalid Social Security numbers. CMS officials and five stakeholders separately confirmed unauthorized individuals have posed as consumers on those calls, which rely on easily obtainable information like name and address. In October 2024, CMS suspended 850 agents and brokers over suspected fraud, then reinstated all of them in May 2025.

By contrast, the three state-based Marketplaces GAO reviewed, in California, Georgia, and New Mexico, require a one-time passcode or three-way call before agent actions and notify consumers of enrollment and agent-of-record changes. CMS told GAO it is exploring similar controls for plan year 2027 but had made no decisions as of March 2026, having held off on changes before plan year 2026 due to unrelated program uncertainty.

The Bottom Line

GAO recommended CMS design stronger consent verification controls, restrict record access to the agent of record, and notify consumers of account activity, potentially through a one-time passcode. It also recommended CMS periodically reassess those controls going forward, addressing the fact that the agency's last fraud risk review was in 2018.

The Department of Health and Human Services concurred with both recommendations and said it is considering a one-time passcode requirement and tighter access restrictions for the Enhanced Direct Enrollment pathway.

The report, requested by Sen. Bill Cassidy (R-LA), Chair of the Committee on Health, Education, Labor, and Pensions reflects a performance audit GAO conducted from January 2025 to July 2026.

Access the Legis1 platform for comprehensive political news, data, and insights.

Spot something wrong? Report an issue with this article