OIG: Multiple Security Weaknesses in Alabama’s Medicaid Management Information System

The HHS’ Office of Inspector General (OIG) has completed an audit of Alabama’s Medicaid data and information systems to adetermine whether the state was in compliance with federal regulations. The review included the Medicaid Management Information System (MMIS) and associated policies and processes. OIG also carried out a vulnerability scan on networked devices, databases, websites, and servers to identify vulnerabilities that could potentially be exploited to gain access to systems and sensitive information.

The audit showed Alabama’s MMIS had multiple weaknesses that could possibly be exploited by hackers to gain access to its systems and Medicaid data.

Alabama had implemented a security program for its MMIS, although several weaknesses had been allowed to continue. OIG stated in its report, the vulnerabilities were “collectively and, in some cases, individually significant.”

OIG did not find any proof  to suggest the vulnerabilities had already been exploited, although the vulnerabilities did place the integrity of the state Medicaid program at risk. By exploiting the weaknesses, unauthorized individuals could have gained access to the MMIS and viewed, altered, or stolen data. OIG ruled that the state had not done enough to comply with federal regulations on data security.

OIG auditors also ruled that there was insufficient oversight of the state’s Medicaid fiscal agent, HP, to ensure that it had adapted appropriate security measures as was required by the terms of its contract.

Details of the weaknesses and flaws identified during the audit were not published, although Alabama was provided with a detailed report and was given several recommendations to improve data security. Alabama agreed with all the recommendations and has agreed to implement extra controls to better secure its information systems and Medicaid data and will address all of the identified weaknesses.

Alabama only disagreed to the title of the report – Alabama Did Not Adequately Secure Its Medicaid Data and Information Systems – commenting, “Alabama has always, and will continue to always, aim to secure its Medicare data and information systems.”

Since OIG found multiple, significant weaknesses that could have resulted in the MMIS being compromised, the title of the report was not altered.

Author: Maria Perez