Immigration and Customs Enforcement officials are getting access to the personal data of nearly 80 million people on Medicaid in order to acquire "information concerning the identification and location of aliens in the United States,” according to an information exchange agreement viewed by WIRED.
The agreement, which is titled “Information Exchange Agreement Between the Centers for Medicare and Medicaid Services and the Department of Homeland Security (DHS) for Disclosure of Identity and Location Information of Aliens,” was signed by CMS officials on Tuesday and first reported by AP News.
Per the agreement, ICE officials will get login credentials for a Centers for Medicare and Medicaid Services (CMS) database containing sensitive medical information, including detailed records about diagnoses and procedures. Language in the agreement says it will allow ICE to access personal information such as home addresses, phone numbers, IP addresses, banking data, and social security numbers. (Later on in the agreement, what ICE is allowed to access is defined differently, specifying just “Medicaid recipients” and their sex, ethnicity, and race but forgoing any mention of IP or banking data.) The agreement is set to last two months. While the document is dated July 9, it is only effective starting when both parties sign it, which would indicate a 60-day span from July 15 to September 15.
The move comes as President Donald Trump’s administration has continued to expand its crackdown on immigration. The administration aims to deport 3,000 people per day—four times as many as were deported in the fiscal year of 2024, according to ICE. Its plans to do so seemingly involves vacuuming up data from across the government. WIRED previously reported that the so-called Department of Government Efficiency (DOGE) and DHS were working on a master database, pulling in data from across DHS and other agencies, in order to surveil and deport immigrants.
Medicaid, state and federally government-funded health care coverage for the country’s poorest, is largely available only to some non-citizens, including refugees and asylum seekers, survivors of human trafficking, and permanent residents. Some states, like New York, provide Medicaid coverage for children and pregnant people, regardless of their immigration status. States report their Medicaid expenditures and data to the federal government, which reimburses them for some of the costs.
“This was never even considered during my five years at DHS working on immigration enforcement,” says John Sandweg, the acting director of ICE during President Barack Obama’s administration. “You want to be careful of a possible chilling effect where people who might apply for benefits and be eligible for benefits—or who seek emergency medical care—won’t do so because they’re worried the information they provide at the hospital could make them a target for immigration action.”
This isn’t the concern of the administration now, spokespeople tell WIRED. “Under the leadership of Dr. [Mehmet] Oz, CMS is aggressively cracking down on states that may be misusing federal Medicaid funds to subsidize care for illegal immigrants,” Andrew Nixon, the director of communications at the Department of Health and Human Services (HHS), tells WIRED. “This oversight effort—supported by lawful interagency data sharing with DHS—is focused on identifying waste, fraud, and systemic abuse. We are not only protecting taxpayer dollars—we are restoring credibility to one of America’s most vital programs. The American people deserve accountability. HHS is delivering it.”
“President Trump consistently promised to protect Medicaid for eligible beneficiaries. To keep that promise after Joe Biden flooded our country with tens of millions of illegal aliens, CMS and DHS are exploring an initiative to ensure that illegal aliens are not receiving Medicaid benefits that are meant for law-abiding Americans,” says assistant secretary of DHS Tricia McLaughlin. (Biden did not allow “tens of millions” of immigrants into the US: even the Heritage Foundation, the conservative think tank behind Project 2025, claimed that 6.7 million people entered the country illegally under Biden as of January 2024.)
The agreement states that its purpose is not to identify waste, fraud, and abuse or examine whether immigrants are receiving impermissible benefits, but to allow ICE to "retrieve information concerning the identity and location of aliens in the United States."
“It highlights to me that the targeting has moved well beyond criminal aliens, you don’t look at data like this unless you’re looking well beyond people convicted of crimes," says Sandweg.
| Got a Tip? |
|---|
| Do you know anything about these dinners and meetings? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at leahfeiger.86, makenakelly.32, and Vittoria89.82. |
In a section outlining the responsibilities of each party the agreement states that it is CMS’s responsibility to provide a number of ICE employees access to T-MSIS, which stands for Transformed Medicaid Statistical Information System, through CMS login credentials. T-MSIS is a CMS database that collects Medicaid and Children's Health Insurance Program (CHIP) data from every state and nearly every US territory, as well as Washington, DC. The system contains granular data on medical conditions, symptoms, treatments, inpatient admissions, and claims, among other sensitive information. The database’s data quality varies state to state. The document specifies that ICE will have “direct access” to the T-MSIS database through the Integrated Data Repository, which an exhibit filed in a recent court case called “the cornerstone to [CMS’s] data environment … providing users the ability to analyze data in place rather than relying on voluminous extracts of raw data.”
In turn, ICE’s responsibilities include applying for CMS login credentials, completing the “Information System Security and Privacy Awareness training” and signing a document about CMS and the Department of Health and Human Service’s “Rules of Behavior for Use of Information and IT Resources.” The agreement further stipulates ICE will then use these credentials to identify and locate "aliens in the United States.”
The agreement also notes that its terms will be “carried out by authorized officers, employees, and contractors of CMS and ICE.” ICE currently contracts with several companies, including Palantir, the defense contractor cofounded by billionaire Peter Thiel, to which the agency recently paid $30 million to build a system called ImmigrationOS to track immigrants self-deporting from the US. The company is also involved in helping to build a “mega API” at the IRS. In April, DHS and the Internal Revenue Services announced an agreement to share IRS data for immigration enforcement.
“The agreement gives ICE full, direct access to our Medicaid data—one of the most important health programs is now being entirely repurposed as a law enforcement database, handing our data directly over to ICE,” says Cody Venzke, senior policy counsel of the National Political Advocacy Division at the American Civil Liberties Union. “The agreement claims that under the Privacy Act, CMS is permitted to share our data to ‘assist another Federal or state agency,’ but that’s at best a half truth. That sharing is only allowed if [it] is to contribute to the accuracy of Medicare or Medicaid, to administer a federal health benefits program, or as necessary to implement a health benefits program funded with federal funds. Completely surrendering our privacy to enable ICE does none of those things.”
The agreement allows ICE to retain any Medicaid data for as long as the agency deems it necessary. The document clarifies that this agreement can be renewed for “consecutive periods,” and that ICE also can share the data so long as the agency specifies who the recipients are in writing. Venzke calls this “an incredibly thin protection.”
Agencies can share data via what’s known as a computer matching agreement, which is a written agreement between agencies that specifies the parameters of how they will compare data from their respective systems. According to its website, the CMS currently has half a dozen computer matching agreements with other federal agencies, including the IRS, the Department of Veterans’ Affairs (VA), and the Social Security Administration.
The agreement between ICE and CMS, however, explicitly states that it is not a computer matching agreement.
Jonathan Kamens, former information security lead at the VA, told WIRED that as long as ICE agents abide by the rules and vetting processes required by CMS to access its systems, they might not require a computer matching agreement. However, any use of data collected by an agency outside what is outlined in its System of Records Notice (SORN) could constitute a violation. “The System of Records Notice for the CMS systems would have to permit the use that ICE is putting the data to in order for it to be legal,” he says. “It is unlikely that the Trump administration has gone through the effort necessary to update the System of Record Notice to permit that use of the data.”
The agreement asserts that it is compliant with a 2019 SORN, which allows T-MSIS data to be used “to assist another federal or state agency." The SORN does not appear to have been updated to include the new agreement between ICE and CMS.
CMS is not the only agency where ICE agents have direct access to sensitive data. Earlier this year, it was revealed that ICE agents were being given logins to access the database that tracks unaccompanied minors at the Office of Refugee Resettlement (ORR), which is also housed under HHS. A former HHS employee told WIRED that more than 50 ICE employees had access to the ORR database.
“By turning over some of our most sensitive health care data to ICE, Health and Human Services has fundamentally betrayed the trust of almost 80 million people,” says Elizabeth Laird, director of equity in civic tech at the Center for Democracy and Technology. “Over 90 percent of entitlement fraud is committed by US citizens, underscoring the false pretense of sharing this information with ICE. The results of this decision will be devastating. It will sink trust in government even lower, force individuals to choose between life-saving care and turning over data to immigration authorities, and erode the quality and effectiveness of government services.”
Zoë Schiffer contributed reporting.
