OIG Finds Data Security Inadequacies at North Carolina State Medicaid Agency

The Department of Health and Human Services’ Office of Inspector General (OIG) has published the findings of an audit of the North Carolina State Medicaid agency. The report shows the State agency has failed to implement sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility data.

HHS oversees the administration of several federal programs, including Medicaid. Part of its oversight of the Medicaid program involves the auditing of State agencies to determine whether appropriate system security controls have been implemented and State agencies are complying with Federal requirements.

The aim of the OIG audit was to determine whether adequate information system general controls had been implemented by the state of North Carolina to ensure its Medicaid eligibility determination system and data were secured.

The Office of North Carolina Families Accessing Services Through Technology (NC FAST) was tasked with operating North Carolina’s Medicaid eligibility determination system. NC FAST was assessed on entitywide security, access controls, configuration management, network device management, service continuity, mainframe operations, and application change control, and how those controls related to the North Carolina eligibility determination system for State fiscal year 2016.

OIG found the information security general controls were inadequate and did not meet federal requirements.

The vulnerabilities identified by OIG placed the confidentiality, integrity, and availability of North Carolina’s Medicaid eligibility data in jeopardy. The vulnerabilities could potentially be exploited by malicious actors to gain access to sensitive information. A cyberattack could also result in critical disruption of North Carolina Medicaid eligibility operations. OIG reports “the vulnerabilities are collectively and, in some cases, individually significant.”

While the vulnerabilities could be exploited, no evidence was uncovered to suggest that its system had been compromised or sensitive information had been viewed or stolen.

OIG made several recommendations to North Carolina to ensure its Medicaid eligibility determination system is appropriately secured. North Carolina must work with NC FAST to address all vulnerabilities in a timely manner and bring its information security general controls up to the required Federal standards.

North Carolina did not directly address the recommendations, but concurred with eight of the nine findings and partly agreed with one finding. North Carolina has agreed to make corrective actions that will resolve all nine security vulnerabilities identified by the auditors.

Last year, North Carolina was also found to have failed to ensure sufficient controls were implemented to ensure the security of its Medicaid claims processing systems. Those systems are managed by CRSA, Inc. OIG auditors similarly found vulnerabilities that were collectively and, in some cases, individually significant and could potentially compromise the confidentiality, integrity, or availability of data and its systems. North Carolina concurred with all recommendations and agreed to take corrective actions to address the vulnerabilities.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.