Data Security Inadequacies at North Carolina State Medicaid Agency by OIG

by | Jan 9, 2018

The findings of an audit of the North Carolina State Medicaid agency by The Department of Health and Human Services’ Office of Inspector General (OIG) have been published in a new report.

The report indicates that the State agency has failed to put in place sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility information.

HHS governs the administration of several federal programs, including Medicaid. Part of its role involving the Medicaid program included the auditing of State agencies to determine whether proper system security controls have been put in place and State agencies are adhering with Federal requirements.

The target of the OIG audit was to discover whether adequate information system general controls had been put in pace by the state of North Carolina to ensure its Medicaid eligibility determination system and data were safe.

The Office of North Carolina Families Accessing Services Through Technology (NC FAST) was given the role of operating North Carolina’s Medicaid eligibility determination system. NC FAST was reviewed in relation to entitywide security, access controls, configuration management, network device management, service continuity, mainframe operations, and application change control, and how those controls working in relation to the North Carolina eligibility determination system for State fiscal year 2016.

OIG discovered that the information security general controls were not sufficient and did not meet federal requirements.

The weaknesses identified by OIG placed the confidentiality, integrity, and availability of North Carolina’s Medicaid eligibility data in danger. The weaknesses could potentially be exploited by malicious actors to gain access to sensitive data. A cyberattack could also lead to in critical disruption of North Carolina Medicaid eligibility operations. OIG states “the vulnerabilities are collectively and, in some cases, individually significant.”

While the weaknesses could be exploited, no proof was found to suggest that its system had been compromised or sensitive data had been viewed or illegally obtained.

OIG made several approvals to North Carolina to ensure its Medicaid eligibility determination system is appropriately safeguarded. North Carolina must work with NC FAST to address all weaknesses in a timely manner and bring its data security general controls up to the required Federal requirements.

North Carolina did not directly address the approvals, but agreed with eight of the nine findings and partly agreed with another finding. North Carolina has agreed to make corrective actions that will address all nine security vulnerabilities found by the auditors.

In 2017, North Carolina was also discovered to have failed to ensure proper controls were put in place to ensure the security of its Medicaid claims processing systems.

Those systems are operated by CRSA, Inc. OIG auditors normally found weaknesses that were collectively and, in some instances, individually important and could potentially place in danger the confidentiality, integrity, or availability of data and its systems. North Carolina ruled with all approvals and agreed to take corrective actions to address the weaknesseds

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy