Time constraints imposed by the 1-year time limit of our Human Research Protection Program required us to choose and investigate only one MCSC’s provider roster. TRICARE’s two main MCSCs, Health Net Federal Services, LLC (TRICARE West) and Humana Inc (TRICARE East) [1], receive approximately US $7.2 billion and US $7.87 billion per year, respectively, to ensure military medical readiness in their respective regions [34]. Additional MCSCs provide services to niche beneficiary populations, including Johns Hopkins Medicine (US Family Health Plan) and International SOS Government Services, Inc (TRICARE Overseas) [1]. These MCSCs do not display the NPIs of their health care providers on the web. From this group, we chose TRICARE West randomly.

TRICARE West is currently operated by Health Net Federal Services, LLC across 21 states: Alaska, Arizona, California, Colorado, Hawaii, Idaho, Iowa (excluding the Rock Island Arsenal area), Kansas, Minnesota, Missouri (excluding the St. Louis area), Montana, Nebraska, Nevada, New Mexico, North Dakota, Oregon, South Dakota, Texas (Amarillo, Lubbock, and El Paso areas only), Utah, Washington, and Wyoming.

To gather further information on health care providers in the search area, we evaluated national and statewide trends from the Health Research Services Administration’s (HRSA) National Practitioner Data Bank related to licensure, adverse events, malpractice, Drug Enforcement Administration enforcement, and exclusions [35]. HRSA also publishes zip code–level data on health provider shortage areas (HPSAs) [36] and the availability of nearby Federally Qualified Health Centers (FQHCs). FQHCs are nonprofit medical facilities that provide primary care to an area or people in need, offer a sliding fee scale, provide complete services, have a quality assurance program, and maintain a governing board of directors [37]. For rural communities where TRICARE providers refuse new patients or lack available appointment times, FQHCs may be an excellent closer option than an MTF. They compare favorably to private providers for patient access, safety, and satisfaction [38]. Due to their nonprofit mission, however, many FQHCs lack digital health care IT resources [39]. No studies have investigated TRICARE beneficiary use of FQHCs.

TRICARE West’s 3.7 million patients reside primarily in Texas, California, Washington, Colorado, and Arizona [40]. The Defense Manpower Data Center provides some details on the distribution of military service members and their families. For example, Texas is home to the highest concentration of service members from both the Army (16.9%) and Air Force (12.9%). California houses the largest number of active duty Marines (36.6%) [41]. Most active Space Force Guardians (24.7%), on the other hand, are based in Colorado [41]. By contrast, the largest concentration of Navy active duty members reside in Virginia (26.5%) [42]. Although one-third of service members move every year, no public-facing data indicate how many TRICARE West beneficiaries transition to TRICARE East or vice versa [43]. While service members are somewhat healthier than civilians, today’s TRICARE providers must treat the same conditions that impact the rest of society, such as cardio- and neurovascular diseases, sexually transmitted infections, substance use disorders, metabolic disorders, and mental health issues [44-46]. According to the Medical Expenditure Panel Survey, a nationwide questionnaire, TRICARE-covered families nationwide reported inferior access to medical care when compared to uninsured, commercially insured, and privately insured peers [47]. Furthermore, military families dealing with complex pediatric care reported worse outcomes than civilians [47]. Approximately 40% of military families have children [48]. At least 1 in 12 rely on Medicaid to provide supplemental coverage for their children [49].

TRICARE West publishes the first and last names, specialty type, practice type, company names, and contact information of TRICARE-credentialed civilian providers on their public-facing provider directory, which was accessed on the TRICARE West website [50] for this study.

Between January 1-31, 2023, we used TRICARE West’s provider directory to search for all names within a 5-mile radius of 798 United States Postal Service–designated zip codes within TRICARE West’s territory of 12,574 zip codes. We copied and pasted all raw results into an Excel (.xls) file (Microsoft Corporation).

To ensure compliance with the terms and conditions of the TRICARE provider directory, all data were manually accessed.

To ensure each batch of results included the largest possible number of TRICARE provider names, we limited the scope of each search query on the TRICARE West provider directory to those zip codes known to contain at least 10,000 residents and 1 credentialed medical provider. Population estimates were gathered from the 2020 US Census [51]. For each state, 38 zip codes were selected for searching on the TRICARE West provider directory. These 798 zip code searches represent 6.1% of TRICARE West’s total land coverage area.

The TRICARE West provider directory displays first, last, and business names; full addresses; phone and fax numbers; degree type; provider gender; specialty; and active/closed status.

To evaluate the data, we gathered the most current .xls versions of the OIG-LEIE and GSA-SAM.gov, the HIPAA list, state lists, CSL, FDA lists, the FBI list, the DHA Sanctions List, and FUG. Using the VLOOKUP function in Excel, we cross-referenced the providers’ first, last, and corporate names (with and without zip code qualifiers) against each exclusion, sanction, and violation list. VLOOKUP search strings are useful database tools for detecting fraud patterns in spreadsheets, including common names or locations [52,53].

This study relied on no confidential data. It was conducted with an exemption from the Human Resource Protection Program of Defense Acquisition University, received on January 30, 2023.

Our search of the TRICARE West provider directory yielded 111,619 raw results across the 798 zip code areas. Searches of 54 zip codes yielded no entries, including 21 searches in Missouri, 18 in Wyoming, 5 in Iowa, 5 in Alaska, 4 in Washington, and 1 in Texas.

After filtering out 72,156 (64.65%) entries for duplicates, closed offices, and data located in external states, we established our baseline list of 39,463 TRICARE West active provider names. This group accounts for 5.53% of TRICARE’s 2021-2022 nationwide civilian roster [1].

Within the baseline group, 2398 (6.08%) provider names matched the first and last names of individuals and business owners found on 10 federal and state regulatory watch lists (Figure 1).

Among the 2398 names, 2197 appear on the OIG-LEIE and 2311 appear on the GSA-SAM.gov. Within the group, 2 appear on the HIPAA list, 69 appear on the CSL list, 10 appear on the FUG, 15 appear on the FDA lists, 53 appear on the FBI list, and 54 appear on 15 different state Medicaid exclusion lists (Alaska: 0; California: 38; Hawaii: 0; Idaho: 0; Iowa: 1; Kansas: 0; Minnesota: 0; Missouri: 0; Montana: 0; North Dakota: 0; Nebraska: 0; Nevada: 1; Texas: 20; Washington: 0; Wyoming: 0).

Our search matched 1997 providers with 2 total exclusion types, 230 providers with 1 type, 158 providers with 3 exclusion types, 12 providers with 4 exclusion types, and 1 provider with 5 exclusion types. All providers with 2 or more exclusions have their first, last, or corporate names appear on the OIG-LEIE and GSA-SAM.gov exclusion lists. All names that appear on the FDA lists, HIPAA list, FUG, and CSL also appear on the OIG-LEIE or GSA-SAM.gov. Most providers with names on the FBI list (50/54) appear on the GSA-SAM.gov.

One name matched 1 provider on the DHA’s Sanctioned Provider List for TRICARE-specific offenses. To protect the provider’s privacy, we will not identify their state or other matching characteristics. Since 1990, the DHA Sanctions List has included no new providers in Utah or Minnesota (Table 1).

Provider names linked to exclusions were also associated with a medical degree (doctor of medicine [MD] n=1288, 54%; doctor of osteopathic medicine [DO] n=199, 8%). Family medicine was the top specialty (n=324, 13.5%), followed by nurse practitioner (n=148, 6.2%), internal medicine (n=112, 4.7%), optometrist (n=99, 4.1%), and pediatrics (n=91, 3.8%). Diploma types with the fewest exclusions included master of nursing (MN; n=1), registered behavior technician (RBT; n=1), licensed clinical psychologist (LCP; n=1), physical therapist (PT; n=1), and certified registered nurse anesthetist (CRNA; n=1). Our results include information about provider specialty and diploma type. Our results also included information on provider gender. Male providers accounted for 59.42% of the exclusions, while female providers accounted for 40%. Two providers did not report their gender.

States with the highest concentrations of names associated with exclusions within the TRICARE West network were Utah (11%) and Minnesota (9%). The five zip codes with the highest exclusions were 84096 (Herriman, UT; n=18), 84062 (Pleasant Grove, UT; n=17), 99669 (Soldotna, AK; n=16), 84790 (Washington County, UT; n=14), and 80524 (Fort Collins, CO; n=14). The five zip codes with only 1 total exclusion were 96782 (Honolulu, HI; n=1), 79159 (Amarillo, TX; n=1), 84003 (Utah County, UT; n=1), 83401 (Bonneville County, ID; n=1), and 99505 (Anchorage, AK; n=1).

Finally, we conducted a follow-up TRICARE West directory search of how many MTFs operate within a 100-mile radius of those zip codes with the highest concentration of excluded provider name matches (Table 2). Whereas 96782 (Honolulu, HI) had 9 MTFs within a 100-mile radius and 1 provider associated with an exclusion, 83401 (Bonneville County, ID), 84790 (Washington County, UT), and 79159 (Amarillo, TX) have no MTF alternatives to provider names associated with exclusions.

This is the first academic study to assess the level of compliance of a federal health care program’s provider directory with criminal background check laws. In addition to evaluating provider names on databases for medical fraud, we expanded our search to include domestic terrorism, financial crimes, child support delinquency, and data breaches. Our matches included 28 fugitives from justice and 58 January 6th defendants.

Our results align with historical trends contained in Total Force Medical Readiness (TFMR) reports [54]. Between 2013 and 2021, overall individual medical readiness among nondeployed military components dropped 6 points [1]. In Q4 2013, 75% of the total force reported being “fully medically ready” (ie, satisfactory dental health, completion of periodic health assessments, deployment-limiting medical conditions status, current immunization status, completion of medical readiness lab tests, and possession of required individual medical equipment). By Q4 FY2021, readiness dropped to 69% [1]. Currently, TFMR reports do not indicate if they rely on data providers who received improper payments. Furthermore, they display no margin of error.

Our demographic findings are consistent with recent and historical reviews of excluded providers. In a cross-sectional study on physician exclusions from 2007 to 2017, Chen et al [55] reported that the total number of physician exclusions grew by 20% to include nearly 0.3% of all US physicians. Exclusions are more common in the West and Southeast among male physicians. In line with Burton et al’s [8] demographic analysis of the OIG-LEIE the majority of the provider names we sampled from TRICARE West’s provider directory have specialty training in family medicine and appear on the GSA-SAM.gov.

Geospatial data may help investigators link medical fraud and adverse events. According to HRSA’s database of HPSAs, 8 of the top 10 zip codes identified by our study for provider names with exclusions lack primary care workers [36]. Indeed, Zhang et al [56] forecasted that Western states will face an acute shortage of 69 physicians per 100,000 residents by 2030.

During the pandemic, HRSAs reported an increase in the number of adverse action reports and medical malpractice payments within the TRICARE West states with the most provider name-exclusion matches (Table 1). The most common adverse event is a patient fall [57]. Increased patient falls at hospitals and nursing homes are typically caused by breakdowns in clinical communications, including systemwide failures in teamwork and failures to consistently follow policies [58]. In Utah, for example, there were 359 adverse event reports in 2019—the highest number recorded in the state’s history [59]. In 2013, there were 555 adverse events in Colorado. By 2020, they peaked at 1215 [57].

We matched the most provider names against exclusions in states where the DHA sanctioned few or no physicians. For example, we detected the highest total number of potentially excluded providers in Utah (n=264), Minnesota (n=227), Kansas (n=212), Colorado (n=201), and Washington (n=180; Table 1). We found the lowest number of exclusion-provider name matches in Idaho (n=32), Missouri (n=21), Nebraska (n=15), and Montana (n=14). The TRICARE West states with the lowest number of DHA-sanctioned providers since 1990 were Utah (n=0), Minnesota (n=0), Colorado (n=1), Oregan (n=0), Montana (n=1), North Dakota (n=0), South Dakota (n=0), and Washington (n=3). Whereas the OIG-LEIE contains a total of 77,621 providers banned from federal health programs, the DHA Sanctions List contains only 129 provider names. In other words, medical fraudsters may have evaded detection by operating in states where the DHA only checks provider names against their own sanctions list.

TRICARE’s financial statement reveals opportunities for increased enforcement of the False Claims Act. The 2022 DHA Annual Report shows US $900,000 collected from excluded providers in 2020 and US $100,000 in 2019—down from a high of US $1.4 million in 2017 [1]. In their FY2021 evaluation of the TRICARE Program, the DHA reported an average annual expenditure of US $2251 on the typical single beneficiary [1]. If 120 (5%) of the 2398 identified TRICARE West providers billed for services for 3 beneficiaries over the preceding calendar year, the DHA could recoup at least US $810,360. Under the False Claims Act, the agency could require each of those providers to pay an additional US $10,000 per patient in penalties (ie, US $3,600,000 in penalties; US $4.4 million in total improper payment recoveries) [60].

Service members and their families need tools to protect themselves from identity theft and medical fraud. HIPAA requires health care providers, including TRICARE West, to safeguard PHI [61]. HIPAA requires health care organizations to conduct regular SRAs to evaluate external and insider threats to PHI and other sensitive data. In addition to their appearance on the OIG-LEIE, two provider names on TRICARE West’s roster were associated with data breaches impacting over 500 medical patients. At least 450,000 TRICARE beneficiaries have an active security clearance [62]. TRICARE has not published a data breach disclosure since 4.9 million patient records disappeared in 2011 [63].

All federal agencies must implement a zero trust (ZT) architecture by 2027. The zero trust paradigm of information security requires participants to operate on a “need to know” basis. We recommend that the DHA prioritize the deployment of a ZT-based Insider Threat Management Model to protect the PHI of service members with security clearance (Table 3). Our model continuously screens the DHA’s civilian providers against federal and state databases. Aligned with the National Institute of Standards and Technology (NIST) 800-207 [64] and the CISA Zero Trust Maturity Model [65], it helps TRICARE administrators wall off providers linked to exclusions from beneficiaries and their data. Effectively, TRICARE patients with confidential-level security clearance or higher gain access to a filtered roster of health care providers. If a search of TRICARE’s website by a National Security Agency engineer with a Top Secret or Sensitive Compartmented Information clearance in Maryland for “John + Smith” matches the name of an excluded provider on the OIG-LEIE and GSA-SAM.gov in a beneficiary’s state, the roster would only display licensed, bona fide physicians. If none exist nearby, the roster would display the closest MTF. If no MTFs exist within a 100-mile radius, TRICARE’s website could display nonemergency medical transportation options to the nearest MTF, secure telehealth options, and covered care options at the nearest out-of-network screened provider. According to our Insider Threat Management Model, any providers in the TRICARE network associated with 3 or more exclusions would lose all access to any beneficiaries with clearance. Those beneficiaries need to be transferred to the nearest MTF. Patients who receive care from providers with 3 or more exclusions face higher risks of adverse events [9].

HIPAA entitles TRICARE beneficiaries to specific tools for medical privacy. For example, they may opt out of the Joint Health Information Exchange (JHIE), an electronic platform for transmitting medical data to civilian providers [7]. Currently, the JHIE opt-out system requires a paper-pencil request. As an alternative, the DHA could offer an electronic JHIE opt-out button in current Defense Finance and Accounting Service (DFAS) myPAY dashboards. DFAS myPAY offers multifactor authentication and paperless transactions to mitigate the threat of lateral nonauthorized movement of PII and PHI beyond the control of the beneficiary [66,67]. Our Insider Threat Management Model complements rather than replaces current federal agency mandates for periodic security training of all DHA employees, contractors, and credentialed providers; implementation of strict password, SRAs, and account management practices; explicit security agreements and access restrictions; PHI, PII, and other sensitive information only made available to those who require it; and use of a security information and event management [68] solution. Our model aligns with the CERT Resilience Management Model [69], ISO/IEC 27002:2022 [70], the NIST Privacy Framework [71], and the NIST Cybersecurity Framework [72]. Although TRICARE operation manuals provide clear guidance to providers related to background checks, patient privacy, and cyber hygiene [73], no single clearinghouse provides ethics training, employee background checks, security information and event management solutions, and SRAs for their civilian providers.

By publishing NPI numbers alongside provider contact details, the DHA could reduce the likelihood of fraudulent claims and improper payments. Whereas NPI numbers are permanent, providers may change or add business names, last names, locations, specialties, and state registrations. Furthermore, no free web-based search tool continuously gathers data from all state, federal, and licensing board databases using a combination of name and address spellings.

Our study was conducted under strict resource and time constraints. Between June 2022 and June 2023, we filed 4 Freedom of Information Act (FOIA) requests for (1) NPI numbers of TRICARE civilian providers, (2) data on TRICARE provider roster use, (3) data on HIE Opt-Out requests, and (4) data related to HIPAA-mandated SRAs (also known as “Compliance Risk Assessments”) performed by MCSCs and TRICARE network providers. Although the DHA acknowledged each request, they fulfilled none as of the date of this publication. The DHA’s most recent FOIA disclosure was on July 8, 2015 [74].

This study identified two TRICARE West provider names with matches on the HIPAA breach list. The HHS Office of Civil Rights does not require medical practices to report privacy breaches that impact ≤499 patients. The vast majority of civilian health providers operate in small practices and do not conduct regular SRAs [21].

The DHA’s annual report states that 80% of the public-facing information of their provider directory is accurate [7]. It does not, however, indicate which portion of the provider directory is not accurate. The TRICARE West provider does not include middle initials with all names and a complete list of states in which their providers are licensed. To address these limitations, we spent time manually differentiating providers with common names. For example, our list of 2398 matches includes a common female name that appears 10 times. Each of these female providers lives in different zip codes or states, has different degrees, and practices completely unrelated types of medicine. In other words, expert review was necessary to ensure our final sample was valid and free of duplicates.

In April 2023, the DHA announced that they would replace Health Net Federal Services with TriWest Healthcare Alliance as the prime contractor for TRICARE West [75]. TriWest has made no announcements regarding the transition of TRICARE West’s provider referral website.

Our study reveals that 6.08% of the provider names listed on TRICARE West’s provider directory match individuals listed on federal and state exclusion lists. To assist law enforcement, we provided all data and study materials to the DODIG on May 8, 2023, and the DHA-OIG on May 24, 2023, in the form of a whistleblower complaint. To triage future threats associated with excluded and sanctioned provider names, we proposed a zero trust–based Insider Threat Management Model for TRICARE beneficiaries with security clearances. In future studies, we intend to compare TRICARE East, Medicare, the Children’s Health Insurance Program, and Substance Abuse and Mental Health Services Administration provider rosters against a broader spectrum of exclusion, sanction, and violation categories (ie, the Federal Sex Offender Registry). We also intend to develop products and interventions to automate background checks, protect patient privacy, and educate health care administrators about insider threats.