HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

OIG Discovers Multiple Security Vulnerabilities in Alabama’s Medicaid Management Information System

The HHS’ Office of Inspector General (OIG) has conducted a review of Alabama’s Medicaid data and information systems to ascertain whether the state was in compliance with federal regulations. The review covered the Medicaid Management Information System (MMIS) and associated policies and procedures. OIG also conducted a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive data.

The audit revealed Alabama’s MMIS had multiple vulnerabilities that could potentially be exploited by hackers to gain access to its systems and Medicaid data.

Alabama had adopted a security program for its MMIS, although several vulnerabilities had been allowed to persist. OIG said in its report, the vulnerabilities were “collectively and, in some cases, individually significant.”

OIG did not uncover any evidence to suggest the vulnerabilities had already been exploited, although the vulnerabilities did place the integrity of the state Medicaid program at risk. By exploiting the vulnerabilities, unauthorized individuals could have gained access to the MMIS and viewed, altered, or stolen data. OIG concluded the state had not done enough to comply with federal regulations on data security.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Additionally, OIG auditors determined there was insufficient oversight of the state’s Medicaid fiscal agent, HP, to ensure that it had implemented appropriate security controls as was required by the terms of its contract.

Details of the vulnerabilities identified during the audit were not published, although Alabama was provided with a detailed report and was given several recommendations to improve data security. Alabama concurred with all the recommendations and has agreed to implement additional controls to better secure its information systems and Medicaid data and will address all of the identified vulnerabilities.

Alabama only objected to the title of the report – Alabama Did Not Adequately Secure Its Medicaid Data and Information Systems – commenting, “Alabama has always, and will continue to always, strive to secure its Medicare data and information systems.”

Since OIG identified multiple, significant vulnerabilities that could have led to the MMIS being compromised, the title of the report was not changed.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.