North Carolina State Medicaid Agency Found to Have Data Security Inadequacies

The Department of Health and Human Services’ Office of Inspector General (OIG) has released the results of an audit of the North Carolina State Medicaid agency.

The audit uncovered the fact that the State agency did not implement sufficient controls to ensure the security of its Medicaid eligibility determination system and the security, integrity, and availability of Medicaid eligibility information.

HHS manages the administration of several federal programs, among those Medicaid. Part of its oversight of the Medicaid program incorporates the auditing of State agencies to determine whether sufficient system security controls have been implemented and State agencies are complying with the necessary Federal requirements.

The focus of the OIG audit was to determine whether sufficient information system general controls had been adapted by the state of North Carolina to ensure its Medicaid eligibility determination system and data were appropriately safeguarded.

The Office of North Carolina Families Accessing Services Through Technology (NC FAST) was given the duty with running the North Carolina’s Medicaid eligibility determination system. NC FAST was assessed on entitywide security, access controls, configuration control, network device management, service continuity, mainframe operations and application transition control, and how those controls related to the North Carolina eligibility determination system for State financial year 2016.

OIG determined that the information security general controls were insufficient and did not meet the required federal standards.

The flaws identified by OIG placed the confidentiality, integrity, and availability of North Carolina’s Medicaid eligibility data under threat. The flaws could potentially be exploited by suspicious actors to gain access to sensitive information. A cyberattack could also cause in critical disruption of North Carolina Medicaid eligibility operations. OIG said that“the vulnerabilities are collectively and, in some cases, individually significant.”

While the flaws could be targeted, no details were uncovered to suggest that its system had been compromised or sensitive information had been seen or taken.

OIG issued several recommendations to North Carolina to ensure its Medicaid eligibility determination system is appropriately protected. North Carolina must work with NC FAST to address all flaws quickly and bring its information security general controls up to the required Federal standards.

North Carolina did not directly react to the recommendations, but concurred with eight of the nine findings and agreed, in part, with one finding. North Carolina has agreed to carry out corrective work that will resolve all nine security flaws identified by the auditors.

Last year, North Carolina was also discovered to have sufficient controls implemented to ensure the security of its Medicaid claims processing networks. Those networks are operated by CRSA, Inc. OIG auditors similarly found flaws that were collectively and, in some cases, individually significant and could place in danger the confidentiality, integrity, or availability of data and its networks. North Carolina concurred with all recommendations and agreed to complete corrective work to address the flaws.

Author: Maria Perez