By MATT GILES, LEAH FEIGER, ZOË SCHIFFER, and CAROLINE HASKINS
Affiliates from Elon Musk’s so-called Department of Government Efficiency (DOGE) have significant access to 19 sensitive systems at the Department of Health and Human Services (HHS), according to a recent court filing. Nine of those are previously undisclosed.
This wide-ranging access, which includes a centralized accounting system for all Centers for Medicare and Medicaid (CMS) programs, the cloud for a “robust” and “high-volume data warehouse,” and several additional HHS accounting systems that pay government contractors, demonstrates the breadth of DOGE’s takeover at the federal agency charged with securing health care for millions of Americans.
HHS submitted the filing as part of an ongoing lawsuit. The document—which is related to a motion for preliminary injunction—shows that a total of four DOGE affiliates now have access to the Healthcare Integrated General Ledger Accounting System (HIGLAS), which pays out federal grants and is used for accounting by the Centers for Medicare and Medicaid Services. A previous court filing claimed three DOGE operatives had access to HIGLAS, which could theoretically allow them to cut off Medicaid payments to states, according to NPR.
FEATURED VIDEO
How Teslas Record Your Every Movement—And How To Avoid It
HHS did not immediately respond to an official request for comment from WIRED.
DOGE’s access to some of the databases in the new court filing were first revealed in a March court filing and reporting from NPR and The Guardian. However, the full scope has come into focus as a result of the American Federation of Labor and Congress of Industrial Organizations’s continued lawsuit attempting to restrict DOGE’s data access at HHS, the Department of Labor, and the Consumer Financial Protection Bureau. As part of the AFL-CIO’s motion, the plaintiffs allege the agencies have given DOGE “unfettered, on-demand access to their most sensitive systems of records” because the affiliates “invoke the incantation of ‘waste, fraud, and abuse.’” According to the plaintiffs, “‘waste, fraud, and abuse’ are not magic words, and they cannot conjure up a need to grant DOGE Team members on-demand access to Americans’ most sensitive and personal information.”
As part of the discovery process, federal agencies have been required to disclose which databases DOGE has accessed, which were attached to the plaintiffs’ recent motion.
Jeffrey Levi, an emeritus professor of health policy and management at George Washington University’s Milken Institute School of Public Health, tells WIRED that “anything that has the potential of delaying payments to parts of the health system” runs the risk of disrupting care for the millions of Americans that rely on it. Levi notes that places with “minimal financial flexibility”—like rural hospitals and Federally Qualified Health Centers, which disproportionately serve people who use Medicaid and Medicare—are particularly vulnerable.
The filing lists known DOGE affiliates, including Luke Farritor, Marko Elez, Edward Coristine, Rachel Riley, Aram Moghaddassi, Zachary Terrell, and Kyle Schutt, among those who have access to HHS systems. Coristine, who has gone by the name “Big Balls” online, previously worked for a company that employed convicted and reformed hackers, WIRED reported.
Elez, a young engineer who has worked at Musk’s X and SpaceX, has also appeared at the Department of Labor, the Social Security Administration, and the Department of the Treasury. While at the Treasury, WIRED reported, Elez had both read and write access to sensitive payments systems. In early February, Elez briefly resigned from DOGE after racist comments posted by an account he was linked to were discovered by The Wall Street Journal, though Elez returned to DOGE after Musk and Vice President JD Vance posted in defense of him on X.
The court filing raises legal and ethical questions around how personal information is currently being treated in the federal government, says Elizabeth Laird, the Center for Democracy and Technology’s director of Equity in Civic Technology.
“It just underscores why for so long we have had protections that have really centered someone’s right to privacy and [required] consent for sharing that level of sensitivity of information about them,” Laird says. “Just in this agency, with this level of sensitivity, that’s a right that’s been stripped away from every person who is included in there.”
Below is a chart that details DOGE’s access to HHS, complete with the names of the agencies impacted, the Personally Identifiable Information (PII) contained in those agencies, and the DOGE operatives who have, or had, access. This information is contained in the court filing.
| NAME | PII | DOGE ACCESS |
|---|---|---|
| Centers for Medicare and Medicaid Services (CMS) Acquisition Lifecycle (CALM) (This manages the contract acquisition process, including “writing contracts, tracking milestones, and performing contract audits.”)* | Vendor name, address, phone number, taxpayer ID number, employer ID number, etc. | Amy Gleason, Luke Farritor, Edward Coristine, Marko Elez, Aram Moghaddassi, Rachel Riley |
| CMS Healthcare Integrated General, Ledger Accounting System (HIGLAS) (This is one of HHS’s central accounting systems.) | SSN, Name, DOB, Financial account information, taxpayer ID, Health insurance claim, employee ID number, salary | Luke Farritor, Edward Coristine, Marko Elez, Aram Moghaddassi |
| CMS Integrated Data Repository Cloud (IDRC) (This is a “high-volume data warehouse integrating Medicare claims” with data from patients and healthcare providers.) | SSN, name, date of birth, email address, phone numbers, mailing address, medical records number, medical notes, health insurance claim number (HICN), unique physician, identification number (UPIN), race, sex, diagnosis, codes, procedure codes, user credentials | Luke Farritor, Edward Coristine, Marko Elez, Aram Moghaddassi, Zachary Terrell |
| NIH ES Electronic Research Administration (eRA) (This is the NIH’s system for processing research grant applications.) | SSN, name, date of birth, email address, mailing address, phone numbers, education, records, disability, persistent, digital identifiers, disadvantage background, user credentials, current position, affiliated organization, sex, demographic, information, professional, performance, and provincial history, service, payback obligation, financial data, employment data | Luke Farritor |
| NIH ES NIH Business System (NBS) (This includes “the general ledger, finance, budget, procurement, supply, travel, and property management systems.”) | SSN, name, email address, phone numbers, financial accountant, information, employment status, taxpayer ID, employee ID number | Luke Farritor, Rachel Riley |
| OS ASA OHR Enterprise Human Capital Management (EHCM) Investment (This is used by HHS to process its internal “personnel actions” and “administer benefits” to its employees.) | SSN, name, email address, phone numbers, certificates, education, records, military status, date of birth, photographic, identifiers, mailing address, financial account information, employment status, user credentials | Luke Farritor (admin, read only), Zachary Terrell, Rachel Riley (read only) |
| OS ASA PSC Payment Management System (PMS) (This is “a shared service provider and a leader in processing grant payments for the federal government.”) | SSN (limited, used as TIN), name, email address, phone numbers, taxpayer ID, mailing address, financial account information, user credentials | Luke Farritor (admin), Zachary Terrell, Rachel Riley |
| OS ASFR Grant Solutions (This is “a grants management services provider.”) | Taxpayer ID, user credentials, email address, mailing address, name, phone numbers, employer ID number | Luke Farritor, Zachary Terrell, Conor Fennessy, Jeremy Lewin, Rachel Riley, Aram Moghaddassi |
| OS ASFR HHS Consolidated Acquisition Solution (This manages purchase requests and business transactions across HHS, with the exception of CDC.) | SSN, name, email address, phone numbers, education, records, taxpayer, ID, mailing address, financial account information, legal documents, user credentials | Luke Farritor, Conor Fennessy, Rachel Riley |
| ACF Expanded Federal Parent Locator Service (FPLS) FPLS comprises four systems critical to child support: 1) National Directory of New Hires, a database of employment data; 2) Federal Case Registry of Child Support Orders, a database of child, support cases and orders; 3) Debtor File which helps states collect delinquent child support; 4) Parent Child Support Portal, which provides a secure gateway for FPLS web applications (This houses information about children placed into foster care so that the relatives of these children can be notified.) | National Directory of New Hires (2025 draft): SSN, date of birth, name, mailing address, military status, employment status | Marko Elez, Aram Moghaddassi (both deactivated) |
| Integrated Contracts Expert system at CDC (This is HHS’s accounting system specific to the CDC.) | SSN, name, email address, employer ID number | Luke Farritor |
| Acquisition, Performance and Execution system at CDC (This is a platform for the CDC to procure private sector contracts and work.) | SSN, name, email address, employment, status, employer ID number | Luke Farritor |
| Grants.gov (This is a platform for people and organizations to apply for government grants.) | SSN, taxpayer ID, user credentials, email address, education, records, mailing address, name, phone numbers, financial account info, others—chart no., TIN, DUNS, provider license number | Luke Farritor (admin), Conor Fennessy |
| Unaccompanied Alien Children ACF Unaccompanied Children Portal (This houses the information about unaccompanied children that is collected by Customs and Border Protection after the children are apprehended.) | Manages a large amount of information, including personal information, medical notes, educational information, and sponsorship information. There are four major groups of individuals:1. UCs—information includes: name, DOB, a number, photographs, biometrics, medical notes, country of birth, education, information, progress reports.2. Sponsors—information includes: name, DOB, SSN, email address, drivers license number, passport number, phone number(s), mailing address, financial account information, employment, status, and income information, legal documents, marital status, gender, country of residency3. Sponsor’s household—information includes: names, DOBs, gender, age, and relationship to UC4. System users — name, email address, phone number, fax number, mailing address, username, password, and roll/privileges | Kyle Schutt |
| Component: Financial Business Intelligence Systems Name of ATO Boundary: Unified Financial Management System Portfolio (The FBIS “retrieves, combines, consolidates, and reports data from the core financial system.” The UFMS is one of the three major core accounting systems at HHS.) | SSN, taxpayer ID, email address, mailing address, name, phone numbers, financial account info, others—chart no., TIN, DUNS, provider license number | Zachary Terrell, Rachel Riley |
| Business Intelligence Information System-Cloud (This houses HHS “payroll, time and attendance, personnel, and recruiting data.”) | SSN, mother, maiden name, user credentials, email address, date of birth, mailing address, name, phone numbers, military status, employment status, financial account info | Rachel Riley |
| HRSA Electronic Handbooks (This platform lets officials sign documents that create binding government contracts.) | Name, email address, phone number numbers, taxpayer ID, mailing address, user credentials, others—fax no. | Zachary Terrell, Jeremy Lewin, Conor Fennessy |
| Unified Financial Management System (This is HHS’s “integrated department-wide financial management system.”) | SSN, taxpayer ID, email address, mailing address, name, phone numbers, financial account info, other—HHSID | Zachary Terrell, Rachel Riley |
| NIH Workforce Analytics Workbench (This lets users examine “current and historical NIH workforce data,” including headcount and retirement information.) | NIH Workforce Insights—FTE counts, HR actions, etc. | Rachel Riley |
*Explanations added by WIRED. The rest is recreated from the court filing.
DOGE affiliates were given access to HHS systems as a result of three executive orders signed by President Donald Trump, according to an April 8 deposition by Jennifer Wendel, chief information officer at HHS, who is stepping down this spring. The first was the January 20 order that established DOGE’s existence. The second was a February order on implementing the DOGE agenda, and the third was an order to eliminate waste, fraud, abuse and data silos.
The orders—and in particular the mandate to root out fraud—gave DOGE wide-ranging access to government systems. The team was required to speak with system owners before accessing certain tools, according to Wendel. In theory, the owner could deny access if they felt that DOGE access was not justified. In practice, Wendel said, access at HHS has never been denied.
That appears to have been the case even though one DOGE affiliate failed to receive the proper security training needed to access a particularly sensitive system.
Before someone is allowed to access the Healthcare Integrated General Ledger Accounting System and the Integrated Data Repository (IDR), they’re required to go through a security training, according to the April 8 deposition by Wendel and another that occurred on the same day by Garey Rice, the principal deputy assistant secretary for operations at HHS. The depositions come as part of the AFL-CIO lawsuit.
During the depositions, an attorney for the plaintiffs tried to ascertain whether DOGE affiliate Aram Moghaddassi had been through the proper training to access the HIGLAS and IDR systems. In a previous government filing, Moghaddassi was not listed as having read-only access to any of the HHS systems, including HIGLAS, despite court records indicating he was detailed to the agency in early March. Rice confirmed that there was no record of Moghaddassi completing the required security briefing.
Disclaimer
The information contained in South Florida Reporter is for general information purposes only.
The South Florida Reporter assumes no responsibility for errors or omissions in the contents of the Service.
In no event shall the South Florida Reporter be liable for any special, direct, indirect, consequential, or incidental damages or any damages whatsoever, whether in an action of contract, negligence or other tort, arising out of or in connection with the use of the Service or the contents of the Service. The Company reserves the right to make additions, deletions, or modifications to the contents of the Service at any time without prior notice.
The Company does not warrant that the Service is free of viruses or other harmful components
