The Big 4 accounting giant promised states AI-powered anti-fraud detection systems in return for hundreds of millions in Covid unemployment contracts. Fraudsters abusing those same systems likely earned more, Forbes finds.
In early 2021, the Deloitte subcontractor Randstad fired a teleservices representative who had been helping Ohioans access Covid-19 unemployment funds through Deloitte’s system, which was deployed in the early days of the pandemic. To her employer, she appeared to be simply tardy. But according to federal investigators, she was guilty of a far more serious, criminal activity: allegedly getting paid for an illicit side hustle in which she removed fraud flags on applications for Pandemic Unemployment Assistance (PUA), the $150 billion pot of Covid-19 money for the self-employed. In return for removing fraud flags, she had allegedly received kickbacks from applicants. One $18,000 payment, for instance, resulted in a $2,000 backhander for the perpetrator, investigators claimed in a search warrant obtained by Forbes.
In a previously unreported oversight in the security of Ohio’s deployment of the Deloitte Unemployment Insurance Framework for Automated Claims and Tax Services (uFACTS), this suspect was allegedly able to unflag as many as 176 fraud issues for at least a month after she was sacked, investigators claimed. The ill-gotten gains were funneled through Cash App and Zelle accounts, one belonging to her daughter and another to her sister, according to law enforcement’s account. (Attempts to contact the suspect were unsuccessful. As neither the family nor the unemployment applicants have yet been charged, Forbes is not revealing their names. Deloitte, and the Ohio Department of Job and Family Services, which oversees PUA assistance declined to comment on the case. Randstad did not respond to a request for comment.)
The breach in Ohio points to a rudimentary security failing amid the consultancy’s difficulties in trying to prevent America’s Covid fraud disaster — and not just in Ohio. In eight states, Deloitte secured multi-million dollar deals based on promises of powerful anti-fraud tech and secure, scalable telecoms infrastructure. In a presentation to the Kansas Department of Labor, in which it claimed to have prevented $100 billion in pandemic unemployment fraud, Deloitte touted “advanced AI-driven fraud detection,” as well as “identity proofing” to help “prevent unauthorized activity,” technologies that had been deployed across U.S. states for over a decade.
“It’s a really bad practice and it’s something that we advise against all the time…”
With its claims of being able to modernize and secure unemployment systems, Deloitte was seen as the obvious choice to help states with the incoming tidal wave of Covid benefits applications for the $650 billion pot of pandemic welfare funds. “Deloitte was the only company that had a production-ready PUA system available,” said Kimberly Hall, director of the Ohio Department of Job and Family Services, in written testimony in May 2020. For contracts in California, Colorado, Illinois, New Mexico, New York, Ohio,Virginia and Wisconsin, Deloitte either deployed tailored uFACTS systems or upgraded legacy infrastructure, and built up attached teleservices centers. Those deals — worth at least a combined $370 million — contributed to Deloitte’s record $50 billion and $60 billion yearly revenues in 2021 and 2022. According to local government data, in states where Deloitte was either asked to help prevent fraud or ran the benefits system, there was as much as $21.2 billion in fraud. uFACTS systems alone saw up to $3.2 billion.
Deloitte spokesperson Karen Walsh said that the company had helped states pay out more than $200 billion in state and federal unemployment assistance and stopped “millions of fraudulent unemployment claims.”
“Deloitte incorporated all identity proofing solutions and anti-fraud technologies authorized by the states and, as signs of criminal activity emerged, recommended additional methods and tools to strengthen program integrity and stop billions of dollars in fraud,” she added.
But in Ohio, as the price of the Deloitte contract spiraled, so did the cost of the fraud. Starting at an initial $10 million in 2020, the Deloitte deal jumped to $122 million as of October 2022. Meanwhile, at least $166 million in fraudulent applications was paid out through the Deloitte system in the state fiscal year between July 2020 and June 2021, according to figures the state auditor provided to Forbes. But this data is incomplete: It does not take into account figures from the 2022 fiscal year, which are still being tallied, nor the $1.2 billion in benefits payments that have been flagged as potentially fraudulent and are still being adjudicated. Ohio Department of Job and Family Services spokesperson Bill Teets said the department had made approximately $1 billion in fraudulent PUA overpayments up to June 30, 2022. Not all of these overpayments went through the Deloitte system, as legacy infrastructure still handled a portion of the applications. The state will continue to contract with Deloitte on PUA, at least through to June 2023, he added.
Despite Deloitte’s claims of advanced anti-fraud detection, the breach of the uFACTS system in Ohio was rudimentary and brazen, according to the search warrant. One of the accused’s customers, in an interview with a Labor Department investigator, said the suspect was advertising her ability to remove fraud flags on Instagram, the warrant said. The suspect also successfully claimed unemployment under her own name, even though she was working for both the Ohio Department of Job and Family Services and the U.S. Postal Service at the time. Deloitte and its subcontractor Randstad, which was the direct employer of the suspect, did not detect her alleged crimes, which were first reported by an anonymous tipster.
Sherrod DeGrippo, vice president of threat research at cybersecurity company Proofpoint, said leaving computing systems open to rogue former employees was common but “horrible.” “It’s a really bad practice and it’s something that we advise against all the time from a security hygiene perspective,” she added.
Yet Deloitte knew about such insider threats facing labor departments in the time of Covid. In June 2020, it was tasked by Michigan to report on the state’s Covid-related fraud problems and detailed a case that bore several similarities to the one in Ohio, according to court records and Deloitte’s findings. In October last year, Brandi Hawkins, a teleservices representative with access to the Michigan unemployment system, was convicted of approving hundreds of fraudulent claims that led to the loss of $3.8 million in government funds. Deloitte noted in its report that Hawkins was able to remove fraud flags on the Michigan benefits database for weeks after her termination.
Unlike Hawkins, the suspect in the Ohio case also claimed to be able to get fraudulent applications approved in other states where she didn’t have direct access to the system, investigators said. According to the government, she was particularly successful in California, where Deloitte had deals worth a total of $88 million with the Employment Development Department (EDD) for Covid-19 benefits. In late 2020, the suspect’s customers had fraudulent applications approved in California, totalling over $50,000 in payouts from the West Coast state, Labor Department officers claimed. The same customers had already had fraud flags on applications in Ohio removed and been given a payout, according to the warrant, showing it was possible to file claims in multiple states under the same name and receive insurance checks.
Along with complaints that millions of calls to Deloitte-supported centers in California were going unanswered, assemblyman David Chiu told local media in March 2021, “Deloitte has continued to underperform.” The call centers, he added, were a “mess.” In January 2021, in an assessment of the EDD’s work on Covid-19 benefits, the state auditor slammed the agency for failing to act promptly to prevent as much as $10.4 billion in potentially fraudulent unemployment payments. It highlighted an estimated $810 million paid out to incarcerated individuals who were ineligible for payouts. By October last year, the EDD’s own estimate for total lost to fraud stood at $20 billion.
Other states weren’t even able to put a figure on the amount of fraud perpetrated through their systems. In a similar deployment to Ohio, Illinois spent $14.3 million for a uFACTS setup and another $42.7 million to prop up attached call centers, according to government contract records. But the deployment was “inadequate” as it didn’t collect accurate data on PUA claims, according to state auditor Frank Mautino. He told Forbes, “We know that there was a large amount of fraud,” but it will have to wait until next year’s audit to get the requisite data to put a dollar amount on the criminal activity.
Deloitte’s woes with its Covid benefits contracts go right back to the early days of the pandemic. In May 2020, a mistake by Deloitte led to personal information of as many as 240,000 unemployment insurance applicants in Colorado, Illinois and Ohio leaking on government benefits websites. The company settled a class action suit over the breach for $4.95 million in 2021.
Deloitte’s existing uFACTS systems also weren’t able to handle the flood of claims during the pandemic. Florida set up its bespoke version of uFACTS, dubbed CONNECT, in the mid-2010s for $55 million, but when the pandemic hit the system couldn’t take the load. As a result, hundreds of thousands of Floridians were unable to access benefits, leading Governor Ron DeSantis to order the Office of the Chief Inspector General to investigate. Though Deloitte tried to distance itself from criticism by noting it had handed the system over to Florida to manage in 2015 and over which it had no control, it still came under fire for what it had provided, failing to deliver “contractual capacities” for at least 200,000 concurrent users. “Deloitte’s delivered uFACTS solution was substandard compared to their proposed solution,” the Inspector General concluded. According to local media, the state said it lost $1.9 billion fraud over CONNECT since the start of the pandemic.
The federal government also played a role in the amount of fraud perpetrated over Deloitte’s systems: When setting up PUA benefits, the government allowed the self-employed to self-certify, with little demand to check on claimants’ backgrounds or ask that they produce employment documentation, making the entire system inherently vulnerable to fraud. As the Illinois Department of Employment Security said in response to the auditor’s criticisms, many states suffered significant fraud “because the Trump administration designed a uniquely flawed system.” With that framework, Deloitte was asked to build up IT and staff that could handle an unprecedented leap in insurance claims within a matter of weeks. In Illinois, principal auditor Kathy Lovejoy, who is continuing to look into the Deloitte contract, said the “contract was put in place in a very short amount of time to get this program off the ground in order to get the citizens of Illinois some assistance.”
“I’m not saying that’s an excuse, but that’s reality,” she added.