2013 Security Report on South Carolina’s Medicaid Agency Published by OIG

A report of an investigation into South Carolina’s Medicaid agency by The U.S. Department of Health and Human Services’ Office of Inspector General has been published

The investigation was carried out  in 2013 following the 2012 hacking of the Revenue Department and a data breach at the state’s Department of Health and Human Services that year. 74 gigabytes of data were illegally obtained from the Revenue Department, which included the tax returns of 3.8 million adults and Social Security numbers of 1.9 million dependents. 3.3 million businesses’ bank account numbers were also taken.

A staff member of the Department of Health and Human Services was found to have inappropriately accessed the records of 228,000 Medicaid recipients and emailed the information to a personal email account. The employee was arrested and was given a three-year sentence of probation and community service . However, the hackers responsible for the cyberattack on the Revenue department were never apprehended.

The purpose of the investigation was to deduce whether the state had appropriately safeguarded data stored in the Medicaid Management Information System (MMIS): a computer system that has been in place for 35 years. While the system is in the process of being upgraded, it is not expected to be fully operational until the summer of 2018.

The OIG investigation showed a number of security vulnerabilities that placed the protected health information of more than 1 million Medicaid recipients at danger to exposure. While no evidence was found to suggest that any of the security vulnerabilities had been exploited, they were severe enough to have potentially compromised the integrity of the State’s Medicaid program.

The review included an assessment of the controls put in place to secure data, an audit of policies and procedures, and interviews with employees responsible for implementing security measures to protect data. Patch management processes, risk assessments, software testing, telecoms security, web applications and databases were also reviewed.

The investigation showed numerous security weaknesses including a failure to conduct appropraite risk assessments to identify security vulnerabilities, a lack of a proper security plan for the MMIS, no encryption on laptop computers, a lack of contractor oversight, inadequate staff training with respect to security awareness, substandard software and data security, and unaddressed website and network device weaknesses.

OIG ruled that the weaknesses occurred “because the State had not established priorities or allocated the resources necessary to secure Medicaid systems and information.”

Details of the exact nature of the security weaknesses, as well as the recommendations made to address security risks, were not specifically detailed in the final report. Following the official release of the report, S.C. Department of Health and Human Services director Christian Soura said “the good news is we’ve taken action on every one of the findings.”