Federal Reports

On December 5, 2021, the National Railroad Passenger Corporation (Amtrak) responded to our investigative report titled, Opportunities to improve Controls to Detect and Reduce eVoucher and Ticket Fraud. Our report focused on investigations that involved the use of fraudulent company eVouchers and tickets that were not detected by the company, causing significant financial losses. We identified internal control weaknesses and other vulnerabilities that exacerbated the company’s fraud risk.The company’s response recognized multiple challenges with the eVoucher program, and it subsequently conducted a detailed analysis to identify existing practices that led to the greatest risk and loss to the company. As a result, the company made two improvements in an effort to remedy the issue. First, the company announced that the expiration date of the original eVoucher will be enforced. Previously, when an eVoucher was modified or partially used, the remaining balance was issued as a new eVoucher with a new expiration date. The enhancement ensures that the expiration date of the original eVoucher is applied to any subsequent eVouchers and is valid for one year from the issuance of the original eVoucher. Second, the company is prohibiting any name changes or transfers of an eVoucher and only the named original purchaser of Amtrak travel can use and retain the value of the eVoucher, eliminating potential sales to third parties.

Facet-joint denervation is a procedure that physicians use to treat neck or back pain caused by arthritis in or injury to the facet joints in the spine. To address inappropriate billing for and overuse of spinal facet-joint denervation for pain management, the Medicare Administrative Contractors (MACs) developed two limitations of coverage. One of the coverage limitations, in place in 11 of the 12 MAC jurisdictions, allowed physicians to be reimbursed, during a 12-month period, for a maximum of 2 facet-joint denervation sessions per beneficiary for each covered spinal region: (1) the lumbar region (lumbar spine) and (2) the cervical and thoracic regions (cervical/thoracic spine). The other coverage limitation allowed physicians to be reimbursed for a maximum of 4 or 10 facet joints per denervation session, depending on the MAC jurisdiction. A prior Office of Inspector General (OIG) audit found that MACs that limited coverage to five facet-joint injection sessions related to the lumbar and cervical/thoracic spines during a rolling year had improperly paid physicians $748,555 for sessions that exceeded this coverage limitation from January 1, 2017, through May 31, 2019. Therefore, we conducted this audit to determine whether Medicare made improper payments from January 1, 2019, through August 31, 2020 (audit period), for selected facet-joint denervation sessions in the MAC jurisdictions that had coverage limitations.

The VA Office of Inspector General (OIG) Vet Center Inspection Program provides a focused evaluation of aspects of the quality of care delivered at vet centers. This report focuses on Continental district 4 zone 1 and four selected vet centers: Casper, Wyoming; Denver, Colorado; and El Paso and Midland in Texas. The inspection focused on six review areas: leadership and organizational risks; quality reviews; COVID-19 response; suicide prevention; consultation, supervision, and training; and environment of care.Generally, district leaders were knowledgeable about quality improvement principles and engaged in continuous improvement activities in response to VA All Employee Survey results. District 4 zone 1 Vet Center Service Customer Feedback survey results exceeded national scores in four of the six categories.The OIG conducted an analysis of vet center quality reviews required to ensure compliance with policy and procedures. The OIG made three recommendations for clinical and administrative quality reviews and one recommendation for critical incident quality reviews.The COVID-19 response review showed that while initially there were personal protective equipment shortages for staff, adequate supplies were reported at the time of inspection. Employees’ responses indicated that district leaders and vet center directors provided communication and guidance that helped with employee and client safety.The suicide prevention review included a zone-wide evaluation of electronic client records, and a focused review of four selected vet centers. The OIG issued eight recommendations—seven specific to electronic client records and one for selected vet centers’ suicide prevention and intervention processes.The consultation, supervision, and training review evaluated the four vet centers. The OIG identified concerns with external clinical consultation, supervision, and training, and issued five recommendations.The environment of care review evaluated the four vet centers. The OIG made three recommendations.The OIG issued a total of 20 recommendations for improvement to the District Director.

The Federal Risk and Authorization Management Program (FedRAMP) standardizes security and risk assessments for cloud technologies for federal agencies, including VA. In April 2019, the VA Office of Inspector General (OIG) received allegations that VA’s Office of Information and Technology’s (OIT’s) Project Special Forces (PSF) was not following FedRAMP policies or VA policy for deploying software-as-a-service (SaaS) applications. The OIG found that OIT granted security authorizations for applications that were not authorized by FedRAMP. Eight of the nine applications cited by the complainant were in use on the VA network—some without FedRAMP or VA authorization. Another three applications were approved to operate on VA’s network without FedRAMP authorization. The OIG did not substantiate that PSF-developed applications were improperly managed outside the VA Enterprise Cloud group. However, PSF did not follow VA security requirements in developing interfaces that allow third parties to “plug into” the VA to send and retrieve data. OIT personnel stated that there was no formal OIT authorization process until April 2019. After that date, the review team did not find instances of VA-authorized applications without FedRAMP authorization. OIT staff also misunderstood the FedRAMP authorization requirements for SaaS applications containing data classified as less sensitive.Failure to comply with FedRAMP standards increases the risk that VA and veterans’ data could be compromised. The OIG made four recommendations to the acting chief information officer (1) to determine whether to prevent use of the unauthorized SaaS applications and (2) whether the reviewed applications should be authorized or reported to the Federal Chief Information Officer. The remaining recommendations were (3) to implement alerts for interface-related abuse and (4) to either use application programming interfaces that transmit sensitive information and requirements for cross-origin resource sharing or seek exceptions to the standards. VA concurred with all recommendations.

While conducting fieldwork for our International Mail Operations and Performance Data project, we found significant operational delays of international outbound (export) packages. Operations were significantly challenged at the Postal Service’s five ISCs due to a large number of export packages identified as having insufficient AED. Postal Service data showed nearly 2.9 million pieces with missing AED between January and August 2021. We also found significant processing delays of some export packages identified with insufficient AED.