Medicaid Firm Struggles to Block Patient Data From India Workers

The largest processor of Medicaid claims is leaving Americans’ personal health and identifiable information vulnerable to access by its overseas workers, as a push to send more operations to India clashes with its contractual obligations to keep that data from being seen outside the US.

Interviews with 15 current and former Gainwell Technologies employees over several months, backed by a review of internal communications, emails and records of individual meetings, show its systems can’t always prevent protected data from being viewed by workers in India.

Personal health information has been visible during troubleshooting meetings, group chats and through a process called “knowledge transfer’’ — online sessions where US employees train the India workers who may eventually replace them.

“Medicaid and claims tied to U.S. citizens can be accessed by offshore contractors. It is not just a security risk – it is a breach of trust and a direct conflict with the commitments Gainwell has made to state agencies,” said Bob Colson, a former Gainwell applications manager who said he resigned in August over what he called ethical concerns with the company’s overseas data practices.

“There is a troubling disconnect between policy and practice.”

Gainwell, based in Irving, Texas, has more than 2,600 people working from India, according to current employees -— more than double the number mentioned two years ago in its 2023 Diversity, Equity and Inclusion report. It provides Medicaid processing work that touches about 70 million of the approximately 80 million enrollees in the federal-state insurance program for low-income and disabled Americans.

US employees, who have long legally shared identifiable patient and provider data with each other, now interact daily with newer co-workers in India who, under Gainwell policy and its contracts with more than two dozen states, aren’t supposed to see any of it.

The issue, some employees said in interviews, is that it’s difficult if not impossible for some of the jobs in India to be done without at least some access to identifying information. That becomes particularly problematic during training and troubleshooting meetings because the live, unredacted data US workers are seeing sometimes is also visible to their India colleagues, the workers said.

Gainwell declined repeated requests for an interview, but in written responses to questions it strongly disputed claims by Colson and other current and former employees that systems containing protected health information (PHI) and personally identifying information (PII) can be seen or accessed by workers in India.

“Safeguarding client data is Gainwell’s utmost priority. Client data is not being accessed by anyone outside the United States who should not have access,” the company said in a statement issued through the New York public relations firm Risa Heller.

Risk of Theft

Gainwell says its security systems are state-of-the-art and “ensure databases containing PHI cannot be accessed by people who should not access them,” according to a letter from its law firm, Meier Watkins Phillips Pusch. “Gainwell steadfastly abides by all provisions limiting data storage and access to the U.S.”

Protected health information and personally identifying information is particularly appealing to fraudsters and black-market thieves, the HIPPAVault, a cyber-security firm specializing in protecting patient data, wrote in a March blog post.

“What makes PHI so potent .... is its authenticity. Medical records include verified data points that financial institutions trust—making it easier for fraudsters to bypass traditional safeguards.”

Federal law doesn’t prohibit personal health data from being handled outside the US. But nearly all of Gainwell’s state contracts prohibit storing, viewing or accessing any identifying information outside US borders. Some, including New York and Colorado, have denied repeated requests by Gainwell to do state Medicaid work in India.

Gainwell has declined to say which states, if any, allow it to handle US patient data outside of the US, saying it can’t discuss any client relationships.

De-Identifying Data

Gainwell is the primary Medicaid information systems vendor in 32 states and territories after a series of mergers and acquisitions that gave it dominance in the market. It has 10,600 employees worldwide, according to Forbes.

Its parent company is carrying $5.7 billion in debt as a result of those deals, according to data compiled by Bloomberg. That prompted at least $250 million in spending cuts that led to jobs being slashed in the US and contributed to its push to shift more jobs to India, according to a July reportby Standard and Poor’s. The company has put its annual revenue at more than $2 billion.

Michelli Kelly, who served as a Gainwell director of engineering until October, said she and members of her team were directly pressured by Vice President Eshwar Muddasani to allow teams of subcontractors and engineers in India access to unredacted US health care data.

She said she refused. She said she was laid off in October after weeks of disagreements over data practices; the company said she was laid off in November as part of a reduction in force.

“Eshwar told me to give India access to environments where they would be able to see and access live patient data. It happened a lot, and I was like a mocking bird repeating over and over that it was PHI, and I wouldn’t do it. I wasn’t going to break our contracts,” Kelly said. “Teams of developers in India, including subcontractors that Eshwar hired, were seeing live, actual data. I am positive of that.”

“De-identifying data is expensive and time consuming, and Gainwell was in too much of a hurry to get the India workers up and running,” Kelly said.

Muddasani denied Kelly’s account. “I want to make it clear that it is not true—I’ve never suggested that an offshore employee or offshore contractor should access PHI or PII,” he said in an email.

Yvonne Bell, a former Gainwell senior professional software engineer, said that in August she identified and removed 20 India-based engineers who’d been improperly given access to critical Gainwell systems and folders servicing the California Medicaid account. Those systems allowed remote access to full, unredacted patient and provider information that included tax identification numbers, dates of birth, Social Security numbers and other protected information, she said.

Bell, who said she was laid off on Oct. 14, worked on the California account for 14 years, including for companies and contracts acquired by Gainwell.

“I know the California contract, what is allowed, what is right and what isn’t. California doesn’t allow any offshore access, but Gainwell is using engineers in India to do work on MMIS systems, CRM, architecture, data dictionaries,” Bell said. “It is wrong, and I complained over and over, but the company did nothing.”

On Aug. 11, she sent an email to members of the California team outlining some of her concerns. She also said she told her team and Gainwell executives that the India access wasn’t allowed under the California contract. She said she was ignored.

“Nothing happened . . . Under our ethics policy, there was supposed to be an investigation, but nobody investigated or even talked to me,” Bell said, adding that she followed up multiple times.

Gainwell didn’t answer questions about Bell’s assertion that at least 20 India-based staff were doing work on the California Medicaid contract. It did dispute her assertion that her complaints weren’t investigated.

“She raised concerns to her manager, the concerns were thoroughly investigated, and the investigation conclusively determined there was no improper sharing of PHI or PII,” the company wrote.

Knowledge Transfers

Although the data used in knowledge transfers and troubleshooting sessions is supposed to be de-identified, three current and three former employees said that actual patient names and histories are sometimes exposed — even if accidentally — during training. The demands of training all the new workers sometimes outpaces the ability of engineers to de-identify the data needed for those sessions, Kelly and others said.

Gainwell said these current and former employees aren’t telling the truth, and that its systems are built to overcome human error.

“Access is governed by role-based access control, ensuring users can only reach the systems, tools and data required for their specific roles. Geo-fencing policies further strengthen security by limiting access to authorized regions and flagging anomalous connection attempts,” Stacey Smith, Gainwell’s chief information security officer, said in a statement.

Andrew Saxe, a former Gainwell executive who left the company four years ago, said that he has no knowledge of Gainwell’s current activities, but cautioned that the potential availability of “PHI out-of-country by any vendor would be reckless.” Saxe said protecting private patient information, enforcing HIPAA and complying with state contracts trumped everything when he was at the company.

If this is happening, “having foreigners handle any part of the (Medicaid Management Information System) that contains the confidential information of American patients and providers violates the trust between the citizenry and government,” Saxe said. “Public sector contracts come with important legal and ethical obligations that transcend profit.”

Nevada Chat

Gainwell had finally gone live with a major software upgrade for Nevada Medicaid, months behind schedule and littered with bugs. Engineers on two continents spent days working on fixes.

Then, shortly before 9 a.m. on Aug. 4, protected health information and member ID numbers popped up on computer screens during an internal chat session.

“We are adding in PHI .. please be aware that we have Offshore people in this chat,” a US employee wrote in the troubleshooting chat, which was shared with Bloomberg Law. “Should there be offshore people in a production support channel?” another wrote. Another added, “We are checking and removing offshore members from this chat.”

By the time the chat session ended about 14 minutes later, at least four Gainwell India-based workers listed as being on the chat had been removed.

“I have went through and removed anyone I know is offshore,” an employee wrote, according to copies of the chat meeting.

Gainwell’s law firm wrote that “No India-based workers saw or received the PHI” on the Nevada chat. It praised the employees for intervening so quickly.

“One employee shared PII in the chat, and another employee almost immediately realized that four (not six) India-based workers may have access to the chat the next day,” the attorneys wrote. Gainwell said it followed up with the India workers and received assurances they didn’t see the data. None of the four responded to Bloomberg Law’s emailed requests for comment.

The statement said that the India-based workers “were not in the chat at the time,” adding, “it was nighttime in India.”

Many engineers in India work overnight shifts to overlap with US healthcare hours, according to the company’s job postings and interviews with employees.

A spokesman for the Nevada Health Authority said Gainwell has assured the state that no patient information is being accessed or viewed outside the US.

“Access to Nevada Medicaid PHI or other sensitive data by offshore personnel is strictly prohibited under our agreement with Gainwell,” the authority wrote in a statement to Bloomberg Law, adding the emphasis in bold.

Gainwell said its systems are secure and protected to make sure no patient information is accessed by anyone outside the US.

“The company’s infrastructure is further protected through network segmentation, for example, by isolating engineering, non-production, and production environments from each other to minimize lateral movement across environments and contain potential threats.”

Data Migration

Three months after the Nevada chat, two senior Gainwell engineers, one based in Bangalore and the other in Chennai, India, organized a live Teams meeting with its US colleagues for a “data migration clarification discussion,” according to records of the meeting viewed by Bloomberg Law. No data was shared or viewable during that Teams meeting.

The Nov. 21 meeting took place at 10:30 East Coast time, and specifically noted that the engineers organizing the Teams meeting were working overnight hours from India.

Gainwell said in a statement that “client data is not being accessed by anyone outside the United States who should not have access. In regards to this specific call, it was a routine call and did not include any transfer of PHI or PII.”

One of the engineers listed on that morning’s Teams call was also one of the four India workers named on the August Teams chat in Nevada.

All were listed as having accepted the Teams invitation and being present during the data migration discussion.

Policy Changes

Two months ago, Gainwell announced changes to its data policies.

“Direct access to the production environment will be removed and granted only by exception,” Chief Transformation Officer Jaffry Mohammed wrote to staff on Oct. 1, referring to live, unredacted data. The restrictions cover all employees, and coincided with a new five-person “Change Advisory Board” that creates new restrictions on what systems US-based developers can access or change and limits the time they will have access, according to three employees and internal notices shared with Bloomberg Law.

“Gainwell routinely updates employees on best security practices,” the company said.

“Gainwell removed access to the production environments and then reinstated access for only the most senior members of the staff, to limit the number of people migrating final bug fixes and code to the live program used by customers,” the company’s lawyers wrote. “The change was made to prevent outages and enhance system stability.”

The Replacements

Gainwell is increasingly relying on India-based subcontractors to provide engineering and technical support for its state Medicaid contracts. The company has as many as 400 sub-contractors working for India-based technology companies, Gainwell employees said.

One of those, Infinite Computer Solutions, owes $2.3 million in US taxes, according to a lien filed by the federal government in July. It remains unpaid, according to Maryland state court records.

Infinite Computer Chairman Sanjay Govil didn’t respond to emails or messages left in person at the company’s Rockville, Md., address. More than a dozen phone calls placed to its Maryland office were sent to voicemail.

Gainwell declined to answer questions about its relationship with Infinite.

Gainwell has transferred more than 200 of its workers to Infinite, in a process employees referred to as rebadging, where many perform the same US Medicaid work they always did, according to five current and former employees.

A former Gainwell testing supervisor for the Louisiana Medicaid contract, who was transferred to Infinite earlier this year after 20 years at Gainwell, said much of that work involves training sessions with dozens of Infinite’s India workers assigned to state Medicaid contracts.

She said she was laid off by Infinite in October after training the India-based workers for about three months, and weeks after she complained to her Infinite Computer managers that actual patient data was being shared during some of those sessions. The supervisor asked not to be named because of unresolved issues with Infinite over payment of health and retirement benefits.

David Plokhooy, a former systems operations manager for multiple Gainwell state accounts, said he personally was informed by his staff of instances in recent months where unredacted data had been inadvertently shown to India-based workers. Plokhooy was laid off in October, as part of Gainwell’s cost-cutting measures.

In late June or early July, “(I got) email from an employee who accidentally displayed PHI/PII during a knowledge transfer and he reported it to me immediately. I escalated the issue to senior management, it was then escalated to the Chief Security Officer,” Plokhooy said in an interview.

“He reviewed the incident and responded that the India workers are Gainwell employees and as such there is no restriction on sharing PHI/PII with them.”

Gainwell said that never happened.

“Gainwell investigates and addresses any concerns it receives about alleged improper PHI sharing,” the company said in a statement.

Colson, the former Gainwell applications manager who resigned in August over what he called ethical concerns with Gainwell’s data practices, said he believes the company’s legal team is trying to do the right thing, but isn’t being listened to.

“I do not blame the legal, contracts and compliance teams. They are good people and mean well,” he said. “It is the IT leadership that is pressing this offshore access and side-stepping the rules.”

The company said Colson, who joined Gainwell in 2019 and served as an applications manager and ServiceNow platform owner, “raised limited questions about a system during its development phase.”

“The questions raised were all fully addressed during implementation through controls outside of Mr. Colson’s purview,” the company said in a statement. “Due to the scope of his role, he was unaware of subsequent changes and the final system design.”

Laurie Kelly, a former program analyst at Gainwell who retired earlier this year after working on contracts for Louisiana and New Jersey, said it would be impossible to do her job without access to complete US patient information. “I absolutely needed access to PHI, social security numbers, everything, but they still had me training people in India to take my place,” Kelly said.

Gainwell didn’t respond to Laurie Kelly’s account.

Operating Out of Sight

Some states, including Nevada, allow Gainwell to do database work in India using de-identified data and testing that does not allow live patient data. Gainwell has more than three dozen workers in India assigned to its Nevada contract, according to the company’s internal staffing records reviewed by Bloomberg Law.

Three India-based workers assigned to the Nevada Medicaid contract are listed as doing engineering for provider prior authorization, two are listed under claims and five are categorized in the company’s organization chart as doing “data warehouse” work, without elaborating on what that entails, according to a Gainwell document obtained by Bloomberg Law. Gainwell employees in four states said those assignments would almost certainly have required access to at least some identifiable patient data, including prescription and medical histories.

Gainwell, in its written responses, said, “All Medicaid prior authorization review and claims processing work involving personal health information is done in the United States.”

“It’s a bright line rule at Gainwell: no claims work is performed in India.”

Five workers told Bloomberg Law they have been ordered to never discuss the India operations with any state Medicaid officials.

“We were told not to discuss anything with the states, not to tell them about anything,” said Laurie Kelly, the former senior program analyst.

Creation of HIPAA

As more patient health data was stored digitally, Congress created the Health Insurance Portability and Accountability Act - HIPAA - in the 1990s to help protect private patient data, and protect the healthcare and insurance companies that handled that data. Under the law, any employee who handles patient information must undergo extensive training, which is renewed each year.

“Without HIPAA there would be no requirement for healthcare organizations to safeguard data – and no repercussions if they failed to do so – potentially resulting in widespread medical identity theft,” according to the HIPAA journal, a medical trade publication.

HIPAA, and state contracts, are designed specifically to provide the ability to protect information and enforce state and federal laws, health care experts said. Keeping that data under US control — and within the US justice system if things go wrong — is crucial to protecting data.

Jeffrey Grant, a former deputy director for operations at the federal Centers for Medicare & Medicaid Services, said the ability of any state to conduct investigations depends in large part on making sure data remains in the US. Grant led federal investigations and enforcement actions — including one unrelated to Gainwell alleging improper access to and misuse of personal health information from India — until leaving the CMS earlier this year.

“An employee in the US can steal data and do nefarious things with it just as an employee in India can,” Grant said. “But the reason every state won’t let data go overseas is because they are no longer subject to our criminal and civil law. Good luck convincing somebody in the India government to get that data back and go after anyone.

“You want to make sure your data is in the US so you can have legal recourse,” Grant said. “American citizens need to know that when the law is violated the government has the authority and the resources to go after the people who did it.”