A federal inspector general says the computer system behind New Mexico’s Medicaid program fell short of the U.S. government’s security requirements during a review that found data was left vulnerable and operations were put at risk.
A report released last week by the top watchdog at the U.S. Health and Human Services Department did not find evidence that anyone had used the vulnerabilities to break into the state’s health insurance program for low-income people.
But the report cautioned that holes in security could have compromised the program’s confidentiality and integrity.
A spokesman for the New Mexico Human Services Department, which manages the program, said Wednesday that “all issues regarding Medicaid data highlighted by the auditors have since been resolved.”
“The Department is committed to making sure New Mexicans receive the Medicaid services they need as well as making sure that Medicaid data is protected,” Joseph Cueto said in an email.
The review, conducted in March 2016, came just a few years after the state government budgeted nearly $20 million to upgrade the Human Services Department’s system for handling Medicaid applications as well as applications for several other benefit programs, such as food stamps. The overhaul was the biggest information technology project in the state’s history and cost nearly $100 million more in federal funds.
Meanwhile, the Medicaid program has grown dramatically since Gov. Susana Martinez agreed in 2013 to expand eligibility to adults with low incomes as part of the Affordable Care Act.
Nearly 900,000 people were enrolled in New Mexico’s Medicaid program as of June.
The inspector general has not released the full report, which details the vulnerabilities that auditors found and other sensitive information.
But a summary of the results released to the public was blunt, saying the New Mexico Human Services Department “did not adequately secure its Medicaid data and information systems, potentially compromising the integrity of its Medicaid program, which could have resulted in unauthorized access to and disclosure of Medicaid beneficiary information.”
“Although HSD adopted a security program for its eligibility systems, we identified system vulnerabilities that potentially placed HSD’s operations at risk,” the summary report said. “These vulnerabilities existed because HSD had not implement[ed] sufficient controls over its Medicaid data and information systems.”