Federal officials spent years locked in a secret legal battle with UnitedHealth Group, the nation’s biggest Medicare Advantage insurer, after a government audit detected widespread overbilling at one of the company’s health plans, newly released records show.

The audit, completed in 2012, found that Medicare had paid too much for nearly half of a sample of patients enrolled at PacifiCare of Washington State, a subsidiary of UnitedHealth Group. The heavily redacted audit was part of a cache of documents recently released to the Center for Public Integrity through a court order in a Freedom of Information Act lawsuit.

Matt Burns, a UnitedHealth spokesman, declined comment. However, during more than three years of confidential — and previously undisclosed — negotiations, the insurer argued the audit was unfair and the results were flat out wrong.

These audits are called Risk Adjustment Data Validation, or RADV. They test the accuracy of a billing tool called a “risk score.” Medicare uses risk scores to pay health plans higher rates for sicker people and less for those with few medical needs. But federal officials concede that some health plans may overstate how sick their patients are, a practice known as “upcoding,” that wastes billions of tax dollars every year. The RADV audits are designed to recover any overcharges.

Officials have done these audits at least since 2008. But they haven’t released any findings from them, so the PacifiCare experience offers a rare look at government oversight of the popular — and fast growing — Medicare Advantage industry. These privately-run alternatives to the basic fee-for-service Medicare program treat more than 17 million Americans at a cost topping $150 billion a year and are facing calls for greater transparency — including recent criticism from two U.S. senators.

The secrecy surrounding Medicare Advantage — CMS officials blacked out large chunks of the PacifiCare audit and related documents — prompted a stern rebuke from one of those senators, Judiciary Committee Chairman Charles Grassley.

“The public’s business ought to be public, with few exceptions. An agency shouldn’t withhold internal deliberations unless there’s a really good reason for it, like a risk to national security. It seems to me that a discussion of a Medicare overpayment problem and what to do about it ought to be public,” the Iowa Republican said in a statement.

“What is CMS worried about disclosing and why?” Grassley added. Last month, Grassley wrote to Attorney General Loretta Lynch and CMS administrator Andrew Slavitt asking how many of the risk score fraud audits had been launched over the past five years and their results.

In a separate letter, Sen. Clare McCaskill, the senior Democrat on the Senate Aging Committee, asked CMS officials what’s being done to curb billing fraud and abuse alleged by Medicare Advantage whistleblowers, calling it “an issue that must be investigated further.”

Congress authorized the use of risk scores starting in 2004. It’s essentially an honor system in which health plan doctors assess every patient’s health risks (and thus the associated payments) based on specific medical conditions they have, such as diabetes. Exactly what’s permissible under the billing rules, however, remains confusing even to many health plan professionals.

“I think there’s really not a very good understanding of how this works,” said Holly Cassano, a medical coding consultant in Florida.

It is clear CMS officials knew years ago that risk scores rose much faster among Medicare Advantage plan members than for people who remained on traditional Medicare, a worrisome signal of creeping billing abuse. A major 2009 government study that was not made public suggested some plans “gamed” the system by exaggerating how sick patients were, for instance.

In June 2008, officials picked five health plans, including PacifiCare of Washington, Inc., for pilot RADV audits. Details on the four other audits appear to have been redacted in records released to the Center for Public Integrity. CMS would only say the pilot audits “recovered” $3.4 million.

Under the audit rules, two sets of auditors combed over medical records for 201 patients to confirm they had the illnesses the government paid to treat. If these conditions are not properly documented in the medical charts, Medicare asks for a refund. By contrast, plans can get credit when underpayments are discovered.

Among the PacifiCare audit findings:

Medicare paid the wrong amount for 128 of the 201 patients, an error rate of nearly two-thirds. Payments were too high for 98 of the patients, too low for 30 of them. In total, the plan was overpaid by $381,776 during 2007.

One in five medical conditions could not be confirmed and most of these errors triggered higher payments than justified. CMS officials redacted the names of the medical conditions.

Auditors cited a “lack of sufficient documentation of a diagnosis” most often as the cause for either denying or slashing payments. However, in more than a third of the errors, payment was denied because the medical file was missing the required signature of the doctor who treated the patient.

CMS records show that the audit dragged on for years because officials changed some rules in the middle of the game and set up a lengthy and bureaucratic appeals process for health plans to follow.

CMS shared “preliminary” audit findings with the company in December 2010, but took nearly two years more to present a final version.

In a letter on Aug. 21, 2012, CMS officials said UnitedHealth owed the government $381,776. CMS said that it would deduct the money from upcoming payments to the plan, and reminded the company it could appeal.

But the flap didn’t end there, for reasons that are not explained in the exchange of testy letters between the company and government.

Scott Theisen, UnitedHealth Group chief financial officer, filed an appeal in a Sept. 20, 2012 letter. He argued that the sample was too small and that the insurer didn’t give the company enough time to secure sufficient medical records to justify its billing

“Thus the amount of the overpayment claimed to be due by CMS cannot be accurate,” Theisen wrote

On March 14, 2014, a CMS hearing officer remanded the case to the agency for further negotiations.

CMS wouldn’t say what happened next. In a statement, the agency wrote: “CMS takes seriously program integrity and payment accuracy in Medicare Advantage, and is taking steps to protect taxpayers, Medicare beneficiaries and the Medicare program. CMS is exploring how to make RADV hearing officer decisions public in such a way that safeguards the protected health information of Medicare Advantage enrollees.”

UnitedHealth Group and the other health plans audited, clearly dodged a financial bullet.

CMS had announced in June 2008 that it would start applying penalties known as “extrapolation,” which have been widely used in other types of Medicare fraud investigations.

This meant that the billing error rate found in the sample of 201 patients would be applied to the PacifiCare of Washington plan. That could have dramatically boosted the penalty.

But somewhere between 2008 and 2012, officials changed their mind and let Medicare Advantage plans off the hook.

CMS officials have never explained fully why they decided against extrapolating the audit findings.

But a confidential CMS presentation dated March 30, 2011 perhaps offers more than a clue. Each of 15 slides states “for internal government use only,” and notes that “unauthorized disclosure may result in prosecution to the full extent of the law.”

One slide estimates payment errors in Medicare Advantage at $13.5 billion for 2010 and notes that health plans “have an incentive to submit more diagnoses” in order to raise their payments.

But when CMS sought opinions on the audits in December 2010, it received more than 500 comments.

“These comments express significant resistance to the implementation of the RADV audits and payment recovery based on extrapolated payment error estimates,” CMS said in the presentation. The presentation went on to say: “Successful payment recovery based on payment error identified in these RADV audits will depend on CMS’ ability to address the challenges raised.”

CMS said it was “expecting to respond to the comments and finalize the payment error calculation methodology and overall strategy shortly.”

As of last month, more than four years later, that still hasn’t been done.