California Healthline Daily Edition

Summaries of health policy coverage from major news organizations

Audit: Three Medi-Cal Managed Care Groups Have Security Risks

Three Medi-Cal managed care organizations were vulnerable to data breaches because of various security lapses, according to an HHS Office of Inspector General report released Tuesday, the AP/Sacramento Bee reports.

Medi-Cal is California's Medicaid program.

Details of Report

For the audit, OIG reviewed information system controls for three managed care organizations from 2012 to 2015. The auditor did not investigate whether the organizations had experienced any data breaches.

The names of the organizations were not disclosed for security reasons.

Audit Findings

Overall, the investigation revealed 74 high-risk security vulnerabilities.

OIG found issues with:

  • Access controls;
  • Database security; and
  • Information storage.

For example, the audit found that:

  • One organization failed to properly encrypt health data on portable devices;
  • One organization did not track and verify whether it had "sanitized" or expunged data from and dispose of flash drives and other devices; and
  • One organization failed to "disable accounts for terminated employees in a timely manner," which increased the risk of unauthorized access.

According to the report, the findings "raise concerns about the integrity of the systems used to process Medicaid managed-care claims." However, it noted that not all organizations likely would face the same vulnerabilities because of "minor differences" in their information systems.

DHCS Response

In response to the report, Adam Weintraub -- a spokesperson at California Department of Health Care Services, which oversees managed care organizations -- in a statement said the agency "is committed to protecting the confidentiality of our members, and the department appreciates OIG's work to identify these data vulnerabilities."

Weintraub added that DHCS has "begun working with all three plans to correct the issues," noting that at least one plan has completed corrective actions (Jablon, AP/Sacramento Bee, 12/8).

This is part of the California Healthline Daily Edition, a summary of health policy coverage from major news organizations. Sign up for an email subscription.