Data Security Inadequacies at North Carolina State Medicaid Agency by OIG

The findings of an audit of the North Carolina State Medicaid agency by The Department of Health and Human Services’ Office of Inspector General (OIG) have been published in a new report.

The report indicates that the State agency has failed to put in place sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility information.

HHS governs the administration of several federal programs, including Medicaid. Part of its role involving the Medicaid program included the auditing of State agencies to determine whether proper system security controls have been put in place and State agencies are adhering with Federal requirements.

The target of the OIG audit was to discover whether adequate information system general controls had been put in pace by the state of North Carolina to ensure its Medicaid eligibility determination system and data were safe.

The Office of North Carolina Families Accessing Services Through Technology (NC FAST) was given the role of operating North Carolina’s Medicaid eligibility determination system. NC FAST was reviewed in relation to entitywide security, access controls, configuration management, network device management, service continuity, mainframe operations, and application change control, and how those controls working in relation to the North Carolina eligibility determination system for State fiscal year 2016.

OIG discovered that the information security general controls were not sufficient and did not meet federal requirements.

The weaknesses identified by OIG placed the confidentiality, integrity, and availability of North Carolina’s Medicaid eligibility data in danger. The weaknesses could potentially be exploited by malicious actors to gain access to sensitive data. A cyberattack could also lead to in critical disruption of North Carolina Medicaid eligibility operations. OIG states “the vulnerabilities are collectively and, in some cases, individually significant.”

While the weaknesses could be exploited, no proof was found to suggest that its system had been compromised or sensitive data had been viewed or illegally obtained.

OIG made several approvals to North Carolina to ensure its Medicaid eligibility determination system is appropriately safeguarded. North Carolina must work with NC FAST to address all weaknesses in a timely manner and bring its data security general controls up to the required Federal requirements.

North Carolina did not directly address the approvals, but agreed with eight of the nine findings and partly agreed with another finding. North Carolina has agreed to make corrective actions that will address all nine security vulnerabilities found by the auditors.

In 2017, North Carolina was also discovered to have failed to ensure proper controls were put in place to ensure the security of its Medicaid claims processing systems.

Those systems are operated by CRSA, Inc. OIG auditors normally found weaknesses that were collectively and, in some instances, individually important and could potentially place in danger the confidentiality, integrity, or availability of data and its systems. North Carolina ruled with all approvals and agreed to take corrective actions to address the weaknesseds