Kentucky Auditor Mike Harmon this week published a review that focused heavily on the cybersecurity and fraud-prevention shortcomings of the commonwealth’s unemployment insurance system.
Of 19 findings included in the extensive report, nine highlighted how Kentucky’s Office of Unemployment Insurance failed to implement measures that might have prevented millions of dollars in fraudulent payments. The report follows a 2020 audit in which auditors found security gaps, such as the ability for employees to remove stops on their own accounts.
Harmon said that while the state has made progress on some of last year’s issues, the most recent report confirms “multiple instances” of fraudulent claims.
“OUI failed to fully implement controls to detect fraudulent activity, which resulted in many claimants receiving payments before OUI flagged them as potentially fraudulent and stopped further payments,” he wrote.
Among the findings, Harmon’s office found that 54 people who claimed to be commonwealth employees received more than $333,000 in unemployment payments. But upon randomly examining 13 of these claims, Harmon’s office found all 13 were fraudulent and that those claimants did not actually work for the state.
In another batch of suspicious payments totaling $2.9 million, auditors found that 25 of 26 randomly selected claims were fraudulent. Of more than 28,000 out-of-state claims totaling $195 million, auditors randomly selected 34 and found 15 were fraudulent.
“Our review found even though OUI took action to stop payment on these fraudulent claims, they did so after each claim was inappropriately paid for at least two weeks,” Harmon said.
The report outlines many security controls the unemployment office failed to implement, despite state laws requiring those measures, including regular risk assessments and vulnerability scans.
Harmon’s office also claims that OUI purchased software to prevent fraud but didn’t use it. The office disputed this claim in its official response to the report, however, listing 22 past, existing and planned fraud-prevention measures, including identity verification via the Social Security Administration and cross-referencing claims data with other states. The agency said it also works with the National Association of State Workforce Agencies’ Integrity Data Hub to share resources against unemployment fraud.
The auditor cited the age of the state’s unemployment system as a contributing factor in the high amount of fraud detected. The system, called Kentucky’s Electronic Workplace for Employment Services, sits on a 1970s mainframe, though OUI defended the software by pointing out that it was developed in 2004 and upgraded in 2009 and again in 2015.
Unemployment fraud is proving to be a lasting legacy of the COVID-19 pandemic. As outdated systems were slammed with claims at the onset of the health crisis, many administrators relaxed their screening processes to speed through massive claims backlogs. A Colorado audit in December estimated the state paid $103 million in fraudulent claims during the pandemic.