Share this article on:
The U.S. Department of Health and Human Services’ Office of Inspector General has published a report of an investigation into South Carolina’s Medicaid agency.
The investigation was conducted in 2013 following the 2012 hacking of the Revenue Department and a data breach at the state’s Department of Health and Human Services the same year. 74 gigabytes of data were stolen from the Revenue Department, which included the tax returns of 3.8 million adults and Social Security numbers of 1.9 million dependents. 3.3 million businesses’ bank account numbers were also stolen.
An employee of the Department of Health and Human Services was discovered to have inappropriately accessed the records of 228,000 Medicaid recipients and emailed the data to a personal email account. The employee was arrested and was sentenced to three years of probation and community service, although the hackers responsible for the cyberattack on the Revenue department were never caught.
The purpose of the investigation was to determine whether the state had properly safeguarded data stored in the Medicaid Management Information System (MMIS): a computer system that is now over 35 years old. While the system is in the process of being replaced, it is not expected to be fully operational until the summer of 2018.
The OIG investigation revealed a number of security vulnerabilities that placed the protected health information of more than 1 million Medicaid recipients at risk of exposure. While no evidence was uncovered to suggest that any of the security vulnerabilities had been exploited, they were severe enough to have potentially compromised the integrity of the State’s Medicaid program.
The review involved an assessment of the controls put in place to secure data, an audit of policies and procedures, and interviews with members of staff responsible for implementing security measures to protect data. Patch management processes, risk assessments, software testing, telecoms security, web applications and databases were also assessed.
The review revealed numerous security weaknesses including a failure to conduct adequate risk assessments to identify security vulnerabilities, a lack of a security plan for the MMIS, no encryption on laptop computers, a lack of contractor oversight, inadequate staff training with respect to security awareness, substandard software and data security, and unaddressed website and network device vulnerabilities.
OIG determined that the weaknesses occurred “because the State had not established priorities or allocated the resources necessary to secure Medicaid systems and information.”
Details of the exact nature of the security vulnerabilities, as well as the recommendations made to address security risks, were not specifically detailed in the report. Following the publication of the report, S.C. Department of Health and Human Services director Christian Soura said “the good news is we’ve taken action on every one of the findings.”