2013 Security Report on South Carolina’s Medicaid Agency Published by OIG

by | Feb 24, 2016

A report of an investigation into South Carolina’s Medicaid agency by The U.S. Department of Health and Human Services’ Office of Inspector General has been published

The investigation was carried out  in 2013 following the 2012 hacking of the Revenue Department and a data breach at the state’s Department of Health and Human Services that year. 74 gigabytes of data were illegally obtained from the Revenue Department, which included the tax returns of 3.8 million adults and Social Security numbers of 1.9 million dependents. 3.3 million businesses’ bank account numbers were also taken.

A staff member of the Department of Health and Human Services was found to have inappropriately accessed the records of 228,000 Medicaid recipients and emailed the information to a personal email account. The employee was arrested and was given a three-year sentence of probation and community service . However, the hackers responsible for the cyberattack on the Revenue department were never apprehended.

The purpose of the investigation was to deduce whether the state had appropriately safeguarded data stored in the Medicaid Management Information System (MMIS): a computer system that has been in place for 35 years. While the system is in the process of being upgraded, it is not expected to be fully operational until the summer of 2018.

The OIG investigation showed a number of security vulnerabilities that placed the protected health information of more than 1 million Medicaid recipients at danger to exposure. While no evidence was found to suggest that any of the security vulnerabilities had been exploited, they were severe enough to have potentially compromised the integrity of the State’s Medicaid program.

The review included an assessment of the controls put in place to secure data, an audit of policies and procedures, and interviews with employees responsible for implementing security measures to protect data. Patch management processes, risk assessments, software testing, telecoms security, web applications and databases were also reviewed.

The investigation showed numerous security weaknesses including a failure to conduct appropraite risk assessments to identify security vulnerabilities, a lack of a proper security plan for the MMIS, no encryption on laptop computers, a lack of contractor oversight, inadequate staff training with respect to security awareness, substandard software and data security, and unaddressed website and network device weaknesses.

OIG ruled that the weaknesses occurred “because the State had not established priorities or allocated the resources necessary to secure Medicaid systems and information.”

Details of the exact nature of the security weaknesses, as well as the recommendations made to address security risks, were not specifically detailed in the final report. Following the official release of the report, S.C. Department of Health and Human Services director Christian Soura said “the good news is we’ve taken action on every one of the findings.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy