OIG scolds New Mexico for failing to secure Medicaid data
New Mexico’s Human Services Department didn’t “adequately secure” its Medicaid data and IT systems according to federal requirements, a report from the U.S. Department of Health and Human Services’ Office of the Inspector General found.
Further, OIG officials found systemic vulnerabilities in New Mexico’s newly adopted security system that, if exploited, could put the state’s HSD data at risk. The flaws were caused by a failure to implement sufficient controls on its Medicaid data and IT systems.
“Although we did not identify evidence that the vulnerabilities had been exploited,” officials said in a statement, “exploitation could have resulted in unauthorized access to, and disclosure of, sensitive information, as well as in disruption of New Mexico's critical operations.”
“As a result, the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity, and availability of New Mexico's eligibility systems,” officials added.
HSD migrated its legacy eligibility systems to the Automated System Program and Eligibility Network in 2014. The implementation was meant to improve patient access to services and give staff more advanced and efficient tools.
However, OIG auditors found inherent risks in its migration, based on a prior audit, which prompted this latest evaluation.
OIG shared these flaws with HSD, but left details out of its report to prevent exploitation. In its report to HSD, OIG also shared recommendations to improve its security posture. HSD concurred with all but one of OIG’s findings and corrective actions.
HSD did not agree with OIG about its recommendation on the agency’s compensating control, but accepted all associated risks with the tool. Officials said OIG continues to recommend HSD implement its recommendation