Florida's Medicaid program has been rapped by auditors who questioned what the state got for millions of dollars spent with a company whose lobbyists included two former Republican House speakers and a former top health-care regulator.

State auditors additionally raised questions about how aggressive the Agency for Health Care Administration has been in trying to clamp down on fraud. The newly released audit said the agency's Office of Medicaid Program Integrity never forwarded leads regarding potential fraudulent activity to 11 HMOs under contract with the state.

The audit released this week by the state auditor general questioned why Florida spent more than $5.5 million on an advanced data analytics system and renewed the vendor's contract five times despite the company's inability to include data on the majority of people enrolled in the Medicaid program.

Between 2014 and 2017, when SAS Institute was working for the state, the company listed a cadre of well-connected Tallahassee lobbyists, including former Agency for Health Care Administration Secretary and Medicaid director Tom Arnold and former House speakers Dean Cannon and Larry Cretul.

Despite the audit findings, AHCA spokeswoman Mallory McManus said in a prepared statement that the agency believes "Florida has the best Medicaid Program Integrity unit in the nation. Combatting and reporting fraud and abuse is one of our agency's top priorities, and we work every day with our health plans, and other stakeholders to ensure this activity is properly reported and dealt with."

According to the audit, the state contracted with SAS Institute in 2014 to develop and maintain an advanced data analytics system.

Though what is known as managed-care "encounter data" was available, the state did not require SAS Institute to include it in the advanced analytics until 2015. Even then, AHCA staff told auditors that SAS Institute had been unable to process the Medicaid managed-care encounter data due to differences in how managed-care plans coded the data compared to claims data from the traditional fee-for-service payment system. As a result, the data wasn't included in the SAS Institute's analyses until January 2017, six months before the contract expired.

Lawmakers in 2011 passed a major overhaul of the Medicaid system that requires most beneficiaries to enroll in managed-care plans, moving away from the fee-for-service model. Only about 20 percent of 3.9 million Medicaid beneficiaries are outside of the managed care system, according to enrollment reports.

AHCA ultimately withheld $1.4 million in payments from SAS Institute for its performance, a move made possible under a change the state made to the contract in 2016, which McManus says, underscored the state's commitment to combating fraud and abuse.

The audit noted AHCA renewed the contract five times, despite never conducting a cost-benefit analysis. The audit recommended that agency officials "document consideration of the cost effectiveness of applicable contracts. We also recommend that, prior to contracting for similar services in the future, agency management establish and clearly identify vendor performance benchmarks."

The Office of Medicaid Program Integrity is responsible for overseeing Medicaid provider activities to minimize fraud and abusive behavior, to recover Medicaid overpayments and to impose sanctions when appropriate.

The office conducts audits of Medicaid providers to look at issues such as possible fraud and overpayments. The audits are based, in part, on analyses of Medicaid data.

But the audit said the Office of Medicaid Program Integrity did not refer leads or referrals about possible wrongdoing to managed-care organizations for investigation.

The audit said the "effective use of Medicaid managed care encounter data to identify and timely communicate to the (managed care organizations) leads related to possible acts of fraud, abuse, or overpayment in the Medicaid program could allow the (managed care organizations) to more quickly stop or prevent unallowable payments to providers and provides greater assurance and further serves to demonstrate that the Agency is overseeing Medicaid provider activities in accordance with state law."

McManus, the AHCA spokeswoman, downplayed the auditor general's finding, calling it "technical."'

"Historically, our agency has not distinguished between fee-for-service claims and encounter data claims when we make referrals, but this does not mean that our agency is not referring fraud and abuse to the managed care plans," she said, adding that the agency made 180 referrals to plans for follow-ups. "In the future, in response to the audit we will make the distinction, but this is a very technical finding."