Federal investigations into UnitedHealth’s Medicare billing could impact clinical labs and reshape diagnostic workflows.
The intensifying federal investigation into UnitedHealth Group’s Medicare Advantage billing practices is making headlines in both major outlets and industry-specific trade publications. Clinical laboratories have the potential to soon feel the effects. As questions grow around how the insurance giant gathers and codes medical diagnoses, labs that play a role in confirming those diagnoses could see heightened regulatory oversight, increased documentation requirements, and a more complex reimbursement landscape.
According to an article from The Associated Press, on July 24, UnitedHealth Group, the largest U.S. provider of Medicare Advantage (MA) plans, revealed in a Securities and Exchange Commission (SEC) filing that it is now cooperating with both criminal and civil investigations by the Department of Justice (DOJ). The probes are centered on allegations that the company inflated patient diagnoses in order to receive larger payments from the federal government. These investigations, which were first surfaced in reports by The Wall Street Journal earlier this year, are now confirmed.
UnitedHealth Comments on Investigation
UnitedHealth said it initiated contact with the DOJ after the reports came to light and is already responding to information requests. The company also announced it has launched a third-party review of its business policies and performance metrics, which is expected to conclude by the end of the third quarter, according to comments made to CNBC.
“UnitedHealth has full confidence in its practices and is committed to working cooperatively with the Department throughout this process,” the company stated in its filing.
The DOJ’s criminal investigation reportedly includes interviews with doctors about whether they were pressured to submit claims for certain diagnoses that would lead to higher MA payments. A civil inquiry into the company’s billing practices has been underway since February. Both investigations center around suspicions that UnitedHealth used retrospective chart reviews and in-home health assessments—often carried out by clinicians contracted through its Optum unit—to bolster patient risk scores and inflate payments from Medicare.
What this Might Mean for Clinical Labs
Clinical laboratories may be affected, as lab-generated diagnostic data is frequently used to support or validate the conditions coded for reimbursement. If regulators demand greater transparency or auditing of how diagnostic data is linked to MA billing, labs could face increased scrutiny on test utilization, data accuracy, and coding practices.
CNBC reported that UnitedHealth has pushed back against some of the scrutiny. The company noted that Centers for Medicare & Medicaid Services (CMS) audits have found its practices to be “among the most accurate in the industry.” It also cited a special master’s recommendation in March in an ongoing legal case stemming from a whistleblower complaint that accused the company of withholding $2 billion in Medicare payments. In that case, the special master concluded that the DOJ had insufficient evidence to proceed.
As for the timing of the DOJ confirmation, UnitedHealth has had a challenging year. The company has endured stock volatility, leadership upheaval, and broader reputational risks. In May, CEO Andrew Witty abruptly resigned, and earlier in the year, the firm dealt with the fatal shooting of UnitedHealthcare CEO Brian Thompson in New York City. UnitedHealth is also still recovering from a massive cyberattack that disrupted operations across its network.
“This all sounds logical as it moves forward with a new CEO,” wrote Jared Holz, healthcare strategist at Mizuho Securities, in a note to clients July 24, while noting that UnitedHealth had previously denied being under federal investigation.
Jared Holz, Mizuho healthcare sector strategist, said UnitedHealth’s choice to acknowledge the probes and cooperate with the department “all sounds logical as it moves forward with a new CEO.”
The Medicare and Retirement division, which includes the Medicare Advantage business, brought in $139 billion in revenue last year, making it UnitedHealth Group’s largest segment. But medical costs have surged, particularly among new MA enrollees. UnitedHealth suspended its 2025 forecast and withdrew guidance altogether in May due to financial uncertainty.
For clinical labs, payers, and providers, the situation underscores a growing federal focus on Medicare Advantage oversight, potentially reshaping not only billing practices but also the data and diagnostics behind them.
Insurers continued receiving payments even after beneficiaries moved to other states, the paper reported
As Congress considers cuts in Medicaid funding, The Wall Street Journal reported that Medicaid managed care plans received at least $4.3 billion in duplicate payments over a three-year period, due to recipients who moved from one state to another.
Centene, the largest private Medicaid insurer, collected $620 million in duplicate payments between 2019 and 2021, while Elevance Health received $346 million and UnitedHealth Group took in $298 million, The Journal reported on March 26.
All told, more than 270 insurers received duplicate payments. The paper noted that private insurers handle coverage for 70% of the 72 million Medicaid recipients.
“We may be paying premiums on behalf of an individual who might have moved, and we don’t know that they have moved,” healthcare consultant Caprice Knapp, PhD, told the newspaper. “It definitely is wasteful.”
The reporting was based on an analysis of the Transformed Medicaid Statistical Information System (T-MSIS), a database of beneficiary information maintained by the Centers for Medicare and Medicaid Services (CMS).
In response to a Wall Street Journal article about managed care plans receiving billions in duplicate Medicaid payments, Craig Kennedy, chief executive of Medicaid Health Plans of America, noted how heavily regulated the health insurance industry is. (Photo copyright: LinkedIn.)
Multiple States Paid Double Payments to Medicaid Insurers
“Government guidelines stipulate that if Medicaid recipients move to another state, they are supposed to cancel their coverage in their former state when signing up in the new one, which often gives them a different insurer,” The Journal reported. “But the recipients don’t always cancel, leaving states to play catch-up.”
States paying the highest rates of duplicate payments include Georgia, Florida, and Indiana, according to The Wall Street Journal’s report.
To illustrate how this works, the story used the hypothetical example of a Medicaid recipient in Florida. There, the state pays $291 per month to the private Medicaid insurer. The individual moves to Georgia and enrolls in that state’s Medicaid program. Georgia begins paying an insurer $339 per month. But Florida continues to pay the monthly fee even though the recipient is now receiving medical care in Georgia. (The payment amounts are estimates based on averages in each state, the paper said.)
The state might not know that a beneficiary has moved until it conducts an annual eligibility check, the story noted. In the meantime, insurers “can collect months of payments before a patient is dropped from the rolls.”
To determine if a patient had moved, the analysis looked at where they received medical care. “The data don’t indicate where recipients are actually living or reflect all adjustments later made to payments,” the story noted.
Some insurers criticized the analysis. Most of the three-year period overlapped with the COVID-19 pandemic, when emergency rules made it difficult to disenroll beneficiaries, insurers told The Wall Street Journal. A Centene spokesman said the analysis “ignores the financial safeguards in place to address potential overpayments.” The insurer told the paper that it had repaid $2 billion to the states between 2019 and 2021.
The duplicate payments amounted to $800 million in 2019, then jumped to $1.3 billion in 2020 and $2.1 billion in 2021, the paper reported. KFF, citing CMS data, reported that states spent an estimated $880 billion on Medicaid programs in fiscal year 2023.
Craig Kennedy, chief executive at Medicaid Health Plans of American—an industry group that represents managed care organizations—told The Journal that insurers are closely watched by regulators.
“[Health insurance is] a heavily regulated industry,” Kennedy said. “Following rules and regulations is the No. 1 priority here.”
Office of Inspector General Weighs In
The Wall Street Journal analysis followed an earlier report from the US Department of Health and Human Services’ (HHS) Office of Inspector General (OIG). The OIG report, issued in September 2022, was based on an audit covering Medicaid managed care capitation payments in August 2019 and August 2020. It was also based on data from T-MSIS.
“All 47 States reviewed made capitation payments on behalf of Medicaid beneficiaries who were concurrently enrolled in two States,” the OIG reported. “Specifically, capitation payments were made on behalf of 208,254 concurrently enrolled beneficiaries in August 2019 and 327,497 concurrently enrolled beneficiaries in August 2020. The Medicaid program incurred costs of approximately $72.9 million in August 2019 and $117.1 million in August 2020 for capitation payments associated with beneficiaries in one of the two concurrently enrolled States.”
OIG advised CMS to provide state agencies with T-MSIS enrollment data. CMS dismissed the recommendation, claiming that the Public Assistance Reporting Information System (PARIS), designed to deter improper public assistance payments, was sufficient, and that T-MSIS would add inefficiency and confusion. However, current and former state Medicaid officials told The Wall Street Journal that PARIS “doesn’t always include up-to-date or complete information.”
Disclosures, mandated by the Affordable Care Act, provide a limited snapshot of claim denials
Claim denials have created financial headaches for virtually all healthcare providers, including clinical laboratories and anatomic pathology groups. Reliable data about denials is hard to come by, but a recent analysis by KFF (formerly the Kaiser Family Foundation) revealed that insurers selling plans on HealthCare.gov denied 19% of claims for in-network services in 2023, the latest year for which data is available.
This is the highest rate since 2015, when KFF began tracking the data, according to the analysis. Claim denials for out-of-network services were even higher, amounting to 37%.
Patients and doctors “are saying that it’s become an even bigger hassle in recent years than it has been in the past,” said Kaye Pestaina, JD, co-author of the report, in a video report from CNBC. Pestaina is a KFF vice president and director of the organization’s program on patient and consumer protection.
The analysis, released Jan. 27, noted that the Affordable Care Act (ACA) requires insurers to provide data about health plans to state and federal regulators as well as the public. “However, federal implementation of this requirement has so far been limited to qualified health plans (QHP) offered on the federally facilitated Marketplace (HealthCare.gov) and does not include QHPs offered on state-based Marketplaces or group health plans.”
“One thing that we’ve seen [when] surveying consumers across different insurance types is that they simply don’t know that they have an appeal right,” said Kaye Pestaina, JD (above), VP and director of KFF’s program on patient and consumer protection, in a video report from CNBC. “If appeals were used more often, it might operate as a check on carriers. From what we can see now, so few are appealed, so it’s not operating as a check.” Clinical laboratories and anatomic pathology groups don’t often see data about the rate of claims denials by payers made public. (Photo copyright: KFF.)
Scarce Information
The federal marketplace covers 32 states, which means that the data does not include the 18 other states or the District of Columbia, all of which have their own exchanges. Nor does it include employer-sponsored plans, Medicare Advantage plans, or Medicaid Managed Care plans.
“In the big picture, we’re still operating from a scarce amount of information about how carriers review claims,” Pestaina told the Minneapolis Star-Tribune.
Within this limited dataset, KFF found wide variation in denial rates among the parent companies of health plans. The companies with the highest rates were as follows:
Rates also varied by state, from a high of 34% in Alabama to a low of 6% in South Dakota. However, the report noted that these averages sometimes obscured wide variations within each state. For example, in Florida, the statewide average was 16%, but denial rates for individual insurers ranged from 8% to 54%.
In most cases, in-network denial rates did not vary much based on plan levels. Rates were 15% for Platinum plans, compared with 18% for Silver and Gold plans, and 19% for Bronze plans. The rate for catastrophic plans was 27%.
The data offered only limited insights about the reasons for claim denials. The federal Centers for Medicare and Medicaid Services (CMS), which administers the rules, requires plans to report denial reasons, but it allows for an “Other” category that accounts for the largest number of denials:
Other reason not listed – 34%
Administrative reason – 18%
Service excluded – 16%
Enrollee benefit limit reached – 12%
Lack of referral or prior authorization – 9%
Not medically necessary (excluding behavioral health) – 5%
Member not covered – 5%
Not medically necessary (behavioral health only) – 1%
“We hear anecdotal stories about certain treatments that are denied, that arguably should not have been denied,” Pestaina told the Star-Tribune. “How often is that happening? It’s difficult to come to a conclusion with the kind of ‘reason’ information we have here.”
Health Insurers Pushback
In addition to claim denials, CMS requires insurers to report the number of appeals once a claim has been denied.
“As in KFF’s previous analysis of federal claims denial data, we find that consumers rarely appeal denied claims and when they do, insurers usually uphold their original decision,” the report states.
In total, insurers on the federal exchange denied 73 million in-network claims. Among these, less than 1% (376,527) were appealed internally to the insurers, which upheld 56% of the denials.
The report notes that, in some cases, consumers have a right to an external appeal in which a third party reviews the claim. However, in a separate survey, KFF found that only 40% of all consumers, and 34% of Marketplace enrollees, were aware of that right.
Health insurers pushed back on KFF’s analysis. In a statement reported by the Star-Tribune, UnitedHealth Group described the numbers as “grossly misleading” because the dataset represents only 2% of total claims.
“Across UnitedHealthcare, we ultimately pay 98% of all claims received that are for eligible members, when submitted in a timely manner with complete, non-duplicate information,” the company stated. “For the 2% of claims that are not approved, the majority are instances where the services did not meet the benefit criteria established by the plan sponsor, such as the employer, state or Centers for Medicare and Medicaid Services.”
Clinical laboratories and anatomic pathology groups should consider these cyberattacks on major healthcare entities as reminders that they should tighten their cybersecurity protections
Hackers continue to gain access to public health records—including clinical laboratory testing data—putting thousands of patients’ protected health information (PHI) at risk of being exposed. The latest important healthcare entity to become the victim of a ransomware attack is American Associated Pharmacies (AAP). According to The Register, AAP announced a ransomware operation called Embargo had stolen over 1.4 terabytes (TB) of data, encrypted those files, and demanded $1.3 million to decrypt the data.
Embargo claims that Scottsboro, Ala.-based AAP paid $1.3 million to have its systems restored. They are now demanding an additional $1.3 million to keep the stolen data private, the HIPAA Journal reported, adding, “The attack follows ransomware attacks on Memorial Hospital and Manor, an 80-bed community hospital and 107 long-term care facility in Georgia, and Weiser Memorial Hospital, a critical access hospital in Idaho.”
AAP has not publicly confirmed the ransomware attack, nor has it made an official statement regarding the breach. But it did post an “Important Notice” on its website reporting, “limited ordering capabilities for API Warehouse have been restored at APIRx.com.”
API Warehouse is a subsidiary of AAP that helps subscribers save on brand name and generic prescriptions via wholesale purchasing plans. It oversees more than 2,000 independent pharmacies across the US and has over 2,500 stock keeping units (SKUs) in its inventory.
The message further states “All user passwords associated with both APIRx.com and RxAAP.com have been reset, so existing credentials will no longer be valid to access the sites. Please click ‘forgot password’ on the log in screen and follow the prompts accordingly to reset your password.”
“Embargo seems to have international and multi-sector victims and is not focusing on a specific victim profile. They seem opportunistic,” Mike Hamilton (above), founder and chief information security officer (CISO) of cybersecurity firm Critical Insight, told HealthcareInfoSecurity. “However, as they do have multiple victims in healthcare, and their tooling to disable detection is sophisticated, they should not be discounted. If indeed they operate through affiliates, we can expect others to use their infrastructure and tools, and Embargo may emerge as a top threat to healthcare.” Since 80% of all medical records are made up of clinical laboratory testing data, laboratory patients are particularly vulnerable. (Photo copyright: Critical Insight.)
Embargo on the Hunt for PHI
Due to the large amount of data Embargo stole from the AAP servers, it’s likely the hackers were able to procure medical records and account details from all customers of the pharmacies involved in the attack.
Researchers at ESET, an internet security company, first noticed the ransomware organization known as Embargo in June of this year. In a news release, ESET stated that Embargo used an endpoint detection and response (EDR) killer toolkit to steal AAP’s data.
“Based on its modus operandi, Embargo seems to be a well-resourced group. It sets up its own infrastructure to communicate with victims. Moreover, the group pressures victims into paying by using double extortion: the operators exfiltrate victims’ sensitive data and threaten to publish it on a leak site, in addition to encrypting it,” ESET wrote in a news release.
Embargo recently attacked other organizations within the healthcare industry as well. In November, it claimed responsibility for breaching the security of Memorial Hospital and Manor in Bainbridge, Ga. The cyberattack affected Memorial’s email and electronic medical record (EHR) systems, which caused the facility to pivot to a paper-based system, The Cyber Express reported.
Embargo’s attack on Weiser Memorial Hospital in Weiser, Idaho, involved the theft of approximately 200 gigabytes (GB) of sensitive data and caused a four-week-long outage of its computer systems.
Other Cyberattacks on Healthcare Organizations
Dark Daily has covered many cyberattacks on hospital health systems in multiple ebriefs over the past few years.
Safeguarding patient data is critical, and more healthcare organizations are discovering the hard way that they are vulnerable to hackers. This situation serves as another reminder to clinical laboratory and pathology group managers that they need to be proactive and serious about protecting their information systems, and in upgrading their digital security at regular intervals.
Hackers are working hard to obtain access to protected health information, which puts patients at continuous risk of having their private records stolen.
Are ongoing protests and federal investigations into health plan practices evidence that customers have reached a tipping point?
It is not common for beneficiaries to get arrested in front of their health plan’s headquarters. But that is what happened in July, when protesters gathered outside of UnitedHealth Group (UHG) in Minnetonka, Minn., to stress their dissatisfaction with the health insurer. More than 150 protesters participated in the demonstration. Eleven were arrested and charged with misdemeanors for blocking the public street outside of the headquarters.
Their main complaint is that the insurer systemically denies care for patients. This is a situation that probably resonates with hospitals, physicians, clinical laboratory professionals, and pathologists, who often see their own claims denied by health plans, including UnitedHealthcare.
“UnitedHealth Group’s profiteering by denying care is a disgrace, leaving people across Minnesota and all of the United States without the care they desperately need,” wrote members of the People’s Action Institute in a letter to UHG’s CEO Sir Andrew Witty. People’s Action organized the protest as part of its Care Over Cost campaign.
“Health insurance coverage has expanded in America, but we are finding it is private health insurance corporations themselves that are often the largest barrier for people to receive the care they and their doctor agree they need,” Aija Nemer-Aanerud, campaign director with People’s Action told CBS News.
“We have asked UnitedHealthcare for systemic changes in their practices and they have refused,” he told Bring Me The News.
Nemer-Aanerud told CBS News that UnitedHealth Group leadership has “refused to acknowledge that prior authorizations and claim denials are a widespread problem.”
“Our mission is to help people live healthier lives and help make the health system work better for everyone,” said UnitedHealth Group CEO Sir Andrew Witty (above) during a Senate Finance Committee hearing in May, NTD reported. “Together, we are working to help enable our health system’s transition to value-based care and are empowering physicians and their care teams to deliver more personalized, high-quality care that delivers better outcomes at a lower cost.” (Photo copyright: The Business Journals.)
People’s Action Institute Demands
In the letter, the changes People’s Action urged UHG to make include:
Ceasing to deny claims for treatments recommended by medical professionals.
Overturning existing denials for recommended treatments.
Stopping the practice of using Artificial Intelligence (AI) and algorithms to deny claims in bulk.
Executing a publicly shared audit and reimbursing federal/state governments for public money diverted by claims and prior-authorization denials within Medicare and Medicaid systems.
Expediting payment of claims.
Making public the details of denied claims and prior authorizations by market, plan, state, geography, gender, disability and race.
A spokesperson for UnitedHealth Group told CBS News that the company has had several talks with People’s Action and has settled some of the organization’s issues. That spokesperson also confirmed that UHG tried to discuss specific cases, but the issues People’s Action brought up had already been resolved.
“The safety and security of our employees is a top priority. We have resolved the member-specific concerns raised by this group and remain open to a constructive dialogue about ensuring access to high-quality, affordable care,” UnitedHealthcare said in a statement.
Profits over Patients?
The People’s Action Institute is a national network of individuals and organizations who strive to help people across the US overturn medical care denials made by insurance giants. Its Care Over Cost campaign aims to influence insurers to initiate systemic changes in their practices.
The recent protest occurred as UnitedHealth Group released its second-quarter financial report claiming $7.9 billion in profits. The company provides health insurance for more than 47 million people across the country and took in $22.4 billion in profits last year.
“UnitedHealth Group’s $7.9 billion quarterly profit announcement is the result of a business model built on pocketing premiums and billions of dollars in public funds, then profiting by refusing to authorize or pay for care,” said Nemer-Aanerud in a press release. “People should not have to turn to public petitions or direct actions to get UnitedHealthcare to pay for the care they need to live.”
“UnitedHealth Group made a decision to spend billions of dollars on stock buybacks, lobbying, and executive pay instead of paying for care people need,” Nemer-Aanerud told Bring Me The News. “They are harming people for profit and should be held accountable for that choice.”
“We all pay for this convoluted system, whether it is in our health insurance premiums or in our public programs. UnitedHealth Group is making billions of dollars in profit by denying people care, including in privatized Medicare and Medicaid plans, to the point that it has prompted a federal investigation … Still, we left the meeting with hope,” they added.
Protests like this one against UnitedHealth Group serve as evidence that the current system of commercial health insurance plans could be deteriorating. This descent may cause customers of these plans to take unprecedented actions to fight for necessary medical care.
As noted earlier, hospitals, physician groups, clinical laboratories, and anatomic pathology groups that see their own claims often denied by health insurers without a clear reason for the denials are probably sympathetic to the plight of patients who are frustrated with how UnitedHealthcare denies their access to care.
