ICE Got 79M Medicaid Records. Found Nobody.

Introduction

The administration's hunt for undocumented Medicaid enrollees has so far produced almost nobody. Pennsylvania and Colorado reported zero terminations from the federal referral lists, while Ohio flagged about 1,000 names for review out of 65,000 federal referrals. To run that search, ICE got direct access to a database covering roughly 79 million people, including everyone who ever enrolled in Emergency Medicaid, where about half the cases are labor and delivery for U.S. citizen babies. The enrollment forms in several states still promise the data won't be used for enforcement.

What CMS Promised, and What CMS Now Says

For 12 years, CMS published a sentence on healthcare.gov/immigrants: "We won't use any immigration status you share with us for immigration enforcement purposes." A separate page on CMS.gov made the same commitment about personal information generally, collected only "to run our health care programs." That pledge was on the screens people saw while typing their addresses into the enrollment portal.

On November 25, 2025, CMS Administrator Mehmet Oz signed Federal Register Notice CMS-9163-N, a nine-page document titled "Privacy Act of 1974; New System of Records." The notice quotes the prior CMS pledges back to itself, then explains that the pledges were made "in reliance on a 2013 ICE policy" that ICE rescinded on October 27, 2025 via Policy Memorandum 11066.2. The new notice was filed November 21 and applicable immediately. CMS waived notice-and-comment rulemaking, calling the document "at the most, a policy statement." On the reliance question, CMS conceded that "states, providers, beneficiaries, health insurance issuers, other regulated entities, and the general public may have relied on past CMS statements," then noted ICE had determined the value of the data "outweighs any relevant reliance interests."

The reliance interests CMS shrugged off are the people who filled out the forms. As of February 3, 2026, California's Medi-Cal application still told applicants their immigration information was "confidential" and "We only use it to see if you qualify for health insurance." Utah's Medicaid website still told Emergency Medicaid applicants their information would not be shared with immigration officials, until KFF Health News called the state agency and Utah pulled the language the same day. None of the dozen-plus hospitals KFF Health News contacted said they were directly warning patients that the rule had changed.

How the Data Actually Moves

The CMS-ICE data flow runs through a system called T-MSIS, the Transformed Medicaid Statistical Information System. It contains demographic data, eligibility records, claims for every covered service, and immigration-status indicators including the flag for emergency-only Medicaid. Per a July 9, 2025 Information Exchange Agreement made public through the lawsuit, ICE employees get direct access to the CMS Integrated Data Repository on renewable two-month periods. The fields requested by the agreement go beyond name and address: Social Security number, date of birth, phone number, ethnicity and race, banking information including account numbers and routing numbers, email addresses, IP addresses.

The first transfer happened on June 10, 2025. According to internal CMS emails obtained by the AP, Kim Brandt (a Trump appointee serving as CMS deputy administrator and chief operating officer) and a senior advisor to HHS Secretary Robert F. Kennedy Jr. ordered CMS to send data to DHS by 5:30 p.m. ET that day, giving career staff 54 minutes to comply. Deputy Director Sara Vitolo wrote a memo flagging that the transfer would violate the Social Security Act and the Privacy Act of 1974, and was overruled. The data went out covering enrollees in California, Illinois, Washington State, and Washington, D.C.

Once inside ICE, the records feed a Palantir-built tool called ELITE (Enhanced Leads Identification & Targeting for Enforcement). According to reporting from 404 Media and EFF, ELITE "populates a map with potential deportation targets, brings up a dossier on each person, and provides a 'confidence score' on the person's current address." HHS-supplied home addresses sit on the input list, which means the address someone typed into a healthcare form, under the now-deleted promise, is scoring how confident ICE is about where to find them.

California v. HHS and What the Government Already Conceded

Twenty-two states and D.C. sued on July 1, 2025 in California v. HHS, Case No. 3:25-cv-05536 in the Northern District of California. Judge Vince Chhabria issued a first preliminary injunction on August 12, finding the agencies had likely failed to follow reasoned decision-making under the Administrative Procedure Act. A second preliminary injunction on December 29 narrowed sharing to basic biographical and contact information, prohibited health data, and limited the data to people not lawfully residing in the United States. KFF analysts noted at the time that "limiting data to these elements would be difficult or impossible" given how T-MSIS is structured, since the database doesn't cleanly isolate undocumented enrollees from lawfully present immigrants on emergency coverage.

On March 26, 2026, the plaintiff states filed a motion to enforce the order, alleging CMS had been sharing data on people the court protected. On April 9, 2026, the federal government admitted in court that it had improperly shared Minnesota Medicaid data with ICE on lawfully present residents. ICE said it had deleted the records, and the affected enrollees were never notified. The same day, the National Health Law Program and American Oversight filed a FOIA suit because HHS had not produced any records about the data sharing within statutory deadlines, including the most basic question on the docket: how many people's records have actually been transferred so far. The government still hasn't answered.

Who Benefits

ICE benefits first. Before this agreement, the agency leaned on commercial data brokers like Thomson Reuters CLEAR ($22.8 million LEIDS-5 contract) and LexisNexis Accurint ($22.1 million LEIDS contract, 11,000-plus ICE users) to triangulate locations from license plate scans, utility records, credit headers, and real-time vehicle registration data. The home address attached to a credit file isn't necessarily the address the person sleeps at tonight, and the brokers' products are expensive on top of that. T-MSIS gives ICE something the brokers can't: a self-reported home address typed into a government form alongside a self-reported immigration status, refreshed by every renewal cycle. ICE Policy Memorandum 11066.2 spells it out, calling CMS data "a particular set of accurate and quality data" that lets ICE "more efficiently achieve its mission."

Palantir benefits at the targeting layer. Each new high-quality data source feeding into ELITE makes the confidence scores more accurate, which makes the next contract easier to justify. The company also holds a separate $30 million contract for ImmigrationOS, a platform aggregating passport records, Social Security data, IRS information, and license plate reads. Palantir denied EFF's January 2026 characterization of how ELITE ingests Medicaid addresses; the description in the EFF post traces back to 404 Media's reporting on internal Oregon court testimony, and Palantir has not produced a competing account of the data inputs.

Thomson Reuters and LexisNexis benefit indirectly. Government data flowing into the targeting pipeline enriches the commercial layer rather than replacing it, so the brokers' products gain value as the cross-reference target gets sharper. Total Thomson Reuters DHS receipts since 2003 sit above $161 million; RELX, LexisNexis's parent, is above $172 million. The current Thomson Reuters LEIDS-5 contract is set to expire May 31, 2026.

The political beneficiary is the deportation goal itself. The data sharing signals that any government health, tax, or benefits database is fair game for enforcement, which is a precedent the next agency or administration that wants to use it can point to.

What the Federal Referrals Actually Found

The chilling effect was already running before the enforcement searches were complete. The KFF/New York Times 2025 Survey of Immigrants (n=1,805) found 14% of immigrant adults, and 48% of likely undocumented adults, had avoided medical care since January 2025 over immigration concerns. Among likely undocumented adults, 78% were "somewhat" or "very" concerned about health providers sharing information with ICE. Medi-Cal lost about 100,000 immigrants without legal status between June and December 2025 — roughly 25% of all California disenrollments, while that group made up 11% of total enrollment. Georgetown's Leonardo Cuello asked the question the policy doesn't address: "Half of the Emergency Medicaid cases are for the delivery of U.S. citizen babies. Do we want these mothers avoiding the hospital when they go into labor?"

The administration's stated reason for the database access is Medicaid program integrity. The legal framework CMS cited in its Federal Register notice (the Homeland Security Act, the Immigration and Nationality Act, and 8 U.S.C. 1373) dates to 1952, 2002, and 1996 respectively, and predates every modern healthcare privacy framework. HIPAA does not appear in the legal authority section of the notice. As for the results: KFF Health News obtained the federal referral numbers from three states. Pennsylvania and Colorado terminated nobody. Ohio flagged about 1,000 names for further review out of 65,000 federal referrals. The hit rate on the program-integrity claim, in the data the administration itself produced, is between zero and roughly 1.5%.

Three Weeks, an Open FOIA Suit, and the Forms Still Say the Old Thing

The administration broke a written promise to ~79 million people to run a search that came up effectively empty in three of the states where results have been disclosed. The data is now sitting inside ICE's targeting system, the May 31 expiration on the Thomson Reuters CLEAR contract is about three weeks away, the FOIA suit is open, and HHS still hasn't said how many records moved. The enrollment forms in several states are still telling people the old version of the deal.

The forward question worth tracking: what changes when American Oversight forces the record count out, and when the next state attorney general's office finds its lawfully-present residents in a Palantir confidence score. The dated, published promise was reversed without telling the people whose addresses are now in the targeting layer.