The largest Medicaid claims processor has built a network of at least 1,800 engineers and analysts in India, rapidly increasing hiring in recent months, even though many of its state contracts require work to be done in the US unless waivers are issued.
Gainwell Technologies LLC’s workforce in India includes pharmacists, payment analysts, and data warehouse managers for its health-care contracts, as well as business analysts for its US Medicaid “immunization registry,” which it claims houses 1.5 billion patient records. Teams of engineers in India are building data centers and artificial intelligence models that will be used to process Americans’ health-care data, according to Gainwell’s descriptions in online job ads.
Meanwhile, hundreds of US employees have been laid off or “rebadged”—involuntarily transferred—to contractors operating in India, according to current and former Gainwell employees. The layoffs are part of Gainwell’s ongoing effort to achieve at least $300 million in cost savings, S&P Global wrote in August 2024 while lowering the company’s credit rating. Closely held Gainwell has been grappling with almost $6 billion in debt, much of it coming due in 2027, according to data compiled by Bloomberg.
The jobs are largely funded by US tax dollars through state contracts, a key reason some states ban most work from being moved overseas without written permission. The shifting of work overseas also calls into question the security of Medicaid recipients’ health data and raises the risk of mistakes since many of the tasks listed by Gainwell in its job ads in India require access to that data, according to Medicaid insiders and data experts.
People have a right to know how their data is being used and how a public program that processes billions of dollars in transactions is being operated, said Kip Piper, a longtime Medicaid insider who has worked for states and the federal Centers for Medicare & Medicaid Services.
“In the end, it is a public program using taxpayer money for a large number of people, many of whose lives depend on getting those services, and taxpayers have a right to make sure that money is being spent wisely and compliantly,” Piper said.
Gainwell, whose work touches about 70 million low-income and disabled Americans enrolled in Medicaid, declined multiple requests to be interviewed for this article. It acknowledged that some data is handled in India, but said in a written response to Bloomberg Law that “no work is done outside the United States for any state client without explicit approval from that client.”
Gainwell repeatedly declined to identify which state contracts allow it to perform Medicaid services outside the US. But a Bloomberg Law analysis of laws, executive orders, and agreements in 15 states where Gainwell is contracted found that all either explicitly prohibit or restrict accessing Medicaid data or conducting work of any type outside the US without waivers.
Medicaid officials overseeing some of Gainwell’s largest state contracts said they didn’t know about Gainwell’s India operations until being asked about them by Bloomberg Law. Out of the seven states that responded to requests for comment, only two—Ohio and Pennsylvania— said they’d agreed in writing to allow some work to be done overseas. Ohio approved such work on May 22 after a two-month review and 10 days after Bloomberg Law inquired about the company’s work in India.
Gainwell and its smaller competitors in Medicaid claims processing have largely stayed under the radar amid congressional negotiations on Medicaid cuts, even as the companies and state health departments routinely fail to catch, and sometimes ignore, even the most obvious fraud and misspending, as Bloomberg Law reported in April.
While Gainwell says it and its predecessors have worked in India for more than 20 years, its staffing there has jumped by around 50% in the past two years. In its 2023 Diversity, Equity, and Inclusion Report, Gainwell said it had 1,250 employees in India and was working to build and renovate local schools and learning centers, and partnering with Indian volunteer organizations.
The company has added hundreds of jobs to its Indian workforce since then, bringing the total to at least 1,800, according to a Bloomberg Law analysis of job postings and social media pages, and confirmed by a former employee familiar with the hiring. The company didn’t dispute that total, but refused to provide a precise number. It also refused to say how many employees it has worldwide, although it has stated in job ads that it is “powered by more than 14,000 employees.”
The descriptions, locations, and details about the nature of the work are included in ads Gainwell placed on Indian job websites and its own job board within the past four months, and confirmed by current and former Gainwell employees. Gainwell employees have also shared detailed descriptions of their work for state Medicaid programs on their LinkedIn pages and other websites.
India Operations
Gainwell has an extensive recruiting operation in India, luring prospects with ads promising a “Fully Remote Opportunity.” Many must work overnight to be on US office hours. Knowledge of the US health-care system is listed as desirable but not mandatory.
Gainwell, in response to questions, said its work in India is “focused on product engineering” and “general and administrative functions,” and that the work doesn’t include Medicaid call center operations.
A listing for data engineers based in Chennai and Bengaluru, India, said the employee must “collaborate with team-members on data models and schemas in our data warehouse.” A posting for a data science position in Bengaluru describes it as “work with large healthcare datasets, performing data preprocessing, feature engineering, and model training while ensuring compliance with HIPAA and other regulatory standards.”
A job posting on the India website Naukri for a pharmacist in Chennai said prospects must have knowledge of “claim adjudication workflows, prior authorizations” and “familiarity with pharmacy management systems, electronic health records.” The pharmacist will need “strong knowledge of drug therapy management and patient counseling,” tasks that go beyond the testing and computer software work approved by a few states.
These tasks would likely require at least some access to beneficiary data, according to experts, including Piper.
Offshoring health-care data and support jobs overseas, particularly to India, greatly increases the risks of coding mistakes and data breaches, said Robyn Petersen, founder and CEO of STAR Medical Auditing Services LLC, a consulting firm that provides billing code services to health-care clinics, hospital systems, and payers. Audits conducted by her company found that offshore coders made as many as four times more mistakes than those in the US.
“It’s just opening this up to a ‘what could go wrong’ scenario,” Petersen said in an interview. “There’s no way to guarantee that they are taking our health-care regulations seriously or even understanding the ramifications of why we have those laws in place.”
At least a dozen Gainwell employees based in India tout their US Medicaid work on their resumes on LinkedIn. One developer wrote that he is working directly on the company’s state contracts, adding that his responsibilities include working with health-care providers and “maintaining and editing of the data in database.”
One analyst wrote that he worked on a Gainwell project “consolidating claims data from various sources, including healthcare providers, insurance companies, and other stakeholders, to create a comprehensive dataset for analysis.” Another wrote that he has spent years “working with Ohio Department of Medicaid (to) implement a world class Pharmacy Benefits solutions.”
Ohio has an exclusive arrangement with Gainwell to manage its Medicaid pharmacy benefits. That contract states that the company “is prohibited from providing services outside of the United States or that allows ODM data to be sent, taken, accessed, tested, maintained, backed-up, stored, or made available remotely outside” of the US, unless the company has obtained a waiver from the state Medicaid department. Ohio state agencies are forbidden under a 2019 executive order from entering any contract to purchase services outside the US. But two Gainwell India employees were listed as supplier contacts on the state’s contract website before the waiver was issued.
The Ohio governor’s office declined to comment on the Gainwell India employees listed, noting that supplier contacts are entered by the company. Gainwell said its employees “do not manage PBMs, drug rebate programs, or other Medicaid pharmacist programs outside the U.S.”
The May 22 waiver limits Gainwell’s work in India to “software development enhancements” on its pharmacy benefits and fiscal intermediary contracts. It requires that “no state data will be accessed, tested, maintained, backed-up, and/or stored outside of the U.S for offshore (India) use.”
“One of our goals for Medicaid was always to support jobs in Ohio,” said Greg Moody, who directed former Ohio Gov. John Kasich’s Office of Health Transformation.
“Using Ohio taxpayer dollars to attract federal funds and then sending that money overseas would be a clear misuse of public funds and serious violation of public trust.”
In January, Pennsylvania amended its contract to allow Gainwell to “perform development and testing work only,” the Department of Human Services said in a statement.
The limited work Pennsylvania approved doesn’t involve protected health information, said Brandon Cwalina, press secretary for the state Department of Human Services.
Colorado health officials told Bloomberg Law that Gainwell verbally inquired about doing work on its $368 million contract outside the US, but put nothing in writing. The state turned down the request.
“Offshoring healthcare data can introduce additional and difficult-to-control risks, including the potential for data exposure and significant challenges in enforcing HIPAA-related protections if an incident occurs outside the United States,” the Colorado Department of Health Care Policy & Financing said in a statement.
New York’s Office of the Medicaid Inspector General said Gainwell hasn’t sought permission to alter its contract.
“Gainwell has assured OMIG that no activities related to NY Medicaid are taking place outside of the US, and the company has not requested permission to do so,” the agency said in a statement.
The Oregon Health Authority, which contracts with Gainwell to process all Medicaid billing for the state, said it hasn’t permitted Gainwell to conduct any IT-specific work outside the US. The state agency deferred additional questions on its contract to Gainwell.
In Texas, Gainwell is prohibited from accessing the state Health and Human Services Commission’s network or email outside the US for work on its contract to handle the state’s prescription drug benefits, the agency said in an emailed statement.
Gainwell declined to comment directly on the statements from Colorado, New York, Oregon, and Texas, noting it doesn’t comment on individual client contracts or agreements. The company reiterated that no work is done outside the US on a contract without explicit approval from that state client.
Gainwell, based in Irving, Texas, has relationships with two companies doing business in India—NTT Data and Infinite Computer Solutions. Current and former employees interviewed by Bloomberg Law said that Gainwell in the past year has assigned some of their US engineering and data software colleagues to work for affiliated companies, and a review of online CVs shows at least a dozen Gainwell employees shifted to Infinite in the past year. Infinite didn’t respond to voicemail messages left at its US headquarters in Rockville, Md.
States have struggled to maintain oversight on contractors at home, making the monitoring of work abroad “virtually impossible,” Piper, the Medicaid insider, said.
In January, Florida’s inspector general for health care administration issued an audit accusing Gainwell of failing to “adequately monitor” a subcontractor’s work. The subcontractor mentioned in the inspector general’s report was only four miles away from Gainwell’s offices in Tallahassee, Florida’s capital. Gainwell declined to comment directly on the Florida report.
States often lack the budgets and staff to oversee contractors within a state, so “it’s just not feasible” to hold an offshored contractor “accountable and to provide the necessary oversight that the contractor is meeting both federal and state law and the requirements of the contract,” Piper said.
Data Privacy
No federal law explicitly prohibits companies from storing or accessing Medicaid beneficiary data outside the US, the CMS said in an emailed statement—though every state contract with Gainwell reviewed by Bloomberg Law prohibits the practice without written approval.
The CMS said states and their contractors must comply with federal laws and regulations on the storage, processing, and sharing of sensitive applicant and beneficiary data, including requirements under the Health Insurance Portability and Accountability Act (HIPAA) to “protect against any reasonably anticipated threats or hazards to the security or integrity” of “electronic protected health information.”
There are good reasons for such caution, according to experts who deal with Medicaid programs. Many of the jobs Gainwell advertises in India say they can be done remotely, making the data only as safe as the security of an employee’s home router or local coffee shop without additional safeguards.
“We do not trust these other countries to have the same standards and take the same care with our data,” said Jeffrey Grant, former deputy director for operations at CMS’s Center for Consumer Information and Insurance Oversight, who helped set up databases for the Affordable Care Act. “As soon as it’s offshore, it’s out of our control and you don’t know who’s got access.”
Government watchdogs have also questioned the feasibility of safeguarding personal health information once it leaves US territory. “Medicaid agencies or domestic contractors that send PHI offshore may have limited means of enforcing provisions of BAAs that are intended to safeguard PHI,” the Department of Health and Human Services Office of Inspector General said on business associate agreements in a 2014 report. BAAs are required by Medicaid to ensure that any contractors handling personal health information are properly trained on protecting that information, and that it will be safeguarded from “misuse,” according to the Health and Human Services website.
Gainwell said it requires all employees, including those in India, to complete annual HIPAA and privacy law training. It said it has a “robust and thorough hiring process that includes comprehensive vetting, onboarding, and training processes for all of our employees.”
Engineers for Gainwell’s machine learning models are told that knowledge of HIPAA rules—which deal exclusively with the handling of US confidential patient health-care information—is a plus for the position. This indicates to experts like Piper and Grant that the work likely involves at least some access to protected US health-care information.
Those same engineers are also being hired by Gainwell to “manage vector databases, embedding stores and document stores.” Those tasks can’t be done without direct access to the underlying data, experts said.
Gainwell, in response to written questions, said that any data used in India is “deidentified and synthetic test data in non-production environments.” It said it doesn’t “process personally identifiable information (PII), protected health information (PHI), or patient data outside the United States in any way that conflicts with applicable Medicaid regulations, our contracts, or state policy.”
Deidentifying data consists of replacing personal information, such as a Medicaid identification number, with another unique identifier.
But Medicaid data can’t be completely deidentified, Piper said. To make coverage decisions, “you’re going to need to know things like, what age are they? Are they pregnant or not? What other diagnoses did they have?” Piper said.
To prevent any data security issues, Gainwell said it employs “industry-leading cybersecurity capabilities,” and partners “with leading, third-party cybersecurity experts to routinely test and maintain our best-in-class infrastructure, including as required by our contracts.” But a foreign government or other actor interested in accessing the data could certainly figure out a way to decode it, Piper said.
Taxpayer-Funded Work
Cwalina, of the Pennsylvania human services department, said the state’s contract provisions restricting offshore work are due to its obligations under HIPAA to protect “sensitive personal and health information.”
During Moody’s time in the Ohio government, all Medicaid procurements “specifically prohibited outsourcing any data or work overseas.”
“These systems hold personal medical and financial information about Ohio citizens, and that’s the last thing you want leaking offshore,” Moody said in an email.
Health-care providers also expect any company working on a public health program to make sure patients’ data is properly handled, said Erin Hart, strategy director for the Ohio Health Care Association. The group represents roughly 1,200 long-term care providers, half of which are skilled nursing facilities where 20% to 100% of patients are covered by Medicaid.
“We would expect Gainwell Technologies, working with many state health agencies, would ensure HIPAA compliance of data records with any contract that they hold,” Hart said. “Any kind of HIPAA privacy breach on a Medicaid contracted vendor is a very serious issue and concern for our residents and their privacy.”
To contact the reporters on this story:
To contact the editors responsible for this story: