OIG Reports Several Security Vulnerabilities with Alabama’s Medicaid Management Information System

The HHS’ Office of Inspector General (OIG) reviewed Alabama’s Medicaid data and information systems to determine if the state had complied with federal laws. The review included the Medicaid Management Information System (MMIS) and related guidelines and procedures. OIG likewise performed a vulnerability scan of networked equipment, databases, online websites, and servers to spot vulnerabilities that may possibly be taken advantage of by unauthorized persons to gain control of the systems and access sensitive information.

The review showed Alabama’s MMIS had several vulnerabilities that hackers may possibly exploit to access its systems and Medicaid information. Alabama had used a security plan for its MMIS, though a number of vulnerabilities had been permitted to continue. OIG said in its review, the vulnerabilities were jointly and, in some instances, individually important.

OIG failed to uncover any information to indicate the vulnerabilities had been exploited, even so the vulnerabilities did put the credibility of the state Medicaid program in danger. By taking advantage of the vulnerabilities, individuals without authorization may have gotten access to the MMIS and seen, modified, or stolen information. OIG came to the conclusion the state hadn’t accomplished enough to adhere to federal laws regarding data privacy.

In addition, OIG auditors confirmed there was inadequate monitoring of the state’s Medicaid financial agent, HP, to make sure that it had executed proper security measures as was demanded by the conditions of its contract.

Particulars of the vulnerabilities discovered during the review were not publicized, though Alabama was given a comprehensive report and was presented with a number of recommendations to enhance data privacy. Alabama agreed with all the suggestions and has consented to put further controls to better protect its data systems and Medicaid information and will deal with all of the discovered vulnerabilities.

Alabama just disagreed to the report’s title given by OIG – Alabama Did Not Adequately Secure Its Medicaid Data and Information Systems – because Alabama is always striving to protect its Medicare data and information networks. Given that OIG discovered several, major vulnerabilities that may have resulted in the MMIS being jeopardized, the report’s title was not altered.