I realise hit detection is an issue that has been talked to hell and back on these forums. But from reading them I somehow got the feeling that the ground of the problem is somehow being omitted...
It lies in the fact that both client of the player being hit and the server are detecting the hit, but they do it independently.
Example: player gets hit by a grenade (or shotgun or m79). This hit is predicted by it's client, including the explosion. So it will jerk the player position away from the explosion (or in the direction of the shotty shells), and notify the server about this movement. Now if the server happens to place this event before the actual impact (actual as opposed to predicted by the client) in time, it will see it as if the player actually evaded the projectile (by the movement that was, clientside, caused by that very projectile) so his hitpoints will not be reduced, and the projectile will, serverside, now invisible to client(s) travel on and explode somewhere else.
Now while in general hit detection might not be an easy thing to design, this particular bug has a simple solution - the client tells the server "I've been hit by object XYZ so I deserve hitpoint penalty".
Clientside hit detection in general is prone to cheats and hacks, but in this case it doesn't matter (or at least not that much) because the detection still remains serverside, with the exception that clients may "admit" a hit.