The state of Maryland is not properly securing Medicaid data and information systems, according to a Department of Health and Human Services (HHS) Office of Inspector General (OIG) report released today that found “numerous significant system vulnerabilities” in the state’s IT systems.
HHS oversees individual states’ use of certain Federal programs, such as Medicaid, and reviews states’ computer systems when they are used for HHS-funded programs. The OIG review looked to see if Maryland had adequately secured its Medicaid Management Information System (MMIS) and related data. The review found that, in spite of adopting a security program for MMIS, “vulnerabilities remained because Maryland did not implement sufficient controls over its MMIS data and information systems.”
OIG said it did not find evidence that the vulnerabilities had been exploited, but said these lapses in security posture could have led to “unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations.”
During the time of OIG’s audit, Maryland was engaged in litigation to recoup costs from a contractor brought in to fix the state’s Medicaid computer system. On Feb. 9, Maryland Attorney General Brian Frosh announced that the state had reached an $81 million settlement with the contractor for damages resulting from failed attempts to implement the new system.
The complete OIG report contains restricted information that was not released to the public. Maryland agreed with OIG’s recommendations to fix the issues and “described actions that it had taken or plans to take to implement them.”