OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System

Share this article on:

The HHS’ Office of Inspector General (OIG) has conducted a review of Alabama’s Medicaid data and information systems to ascertain whether the state was in compliance with federal regulations. The review covered the Medicaid Management Information System (MMIS) and associated policies and procedures. OIG also conducted a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive data.

The audit revealed Alabama’s MMIS had multiple vulnerabilities that could potentially be exploited by hackers to gain access to its systems and Medicaid data.

Alabama had adopted a security program for its MMIS, although several vulnerabilities had been allowed to persist. OIG said in its report, the vulnerabilities were “collectively and, in some cases, individually significant.”

OIG did not uncover any evidence to suggest the vulnerabilities had already been exploited, although the vulnerabilities did place the integrity of the state Medicaid program at risk. By exploiting the vulnerabilities, unauthorized individuals could have gained access to the MMIS and viewed, altered, or stolen data. OIG concluded the state had not done enough to comply with federal regulations on data security.

Additionally, OIG auditors determined there was insufficient oversight of the state’s Medicaid fiscal agent, HP, to ensure that it had implemented appropriate security controls as was required by the terms of its contract.

Details of the vulnerabilities identified during the audit were not published, although Alabama was provided with a detailed report and was given several recommendations to improve data security. Alabama concurred with all the recommendations and has agreed to implement additional controls to better secure its information systems and Medicaid data and will address all of the identified vulnerabilities.

Alabama only objected to the title of the report – Alabama Did Not Adequately Secure Its Medicaid Data and Information Systems – commenting, “Alabama has always, and will continue to always, strive to secure its Medicare data and information systems.”

Since OIG identified multiple, significant vulnerabilities that could have led to the MMIS being compromised, the title of the report was not changed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On