Maryland did not adequately follow federal requirements to secure its Medicaid data and information systems, according to an HHS Office of Inspector General report. Although Maryland had adopted a Medicaid security program for its MMIS, numerous significant system vulnerabilities existed.

The OIG conducted its report as part of an ongoing review of the computer systems that states use to administer HHS-funded programs, such as Medicaid. For the report, the OIG reviewed Maryland’s policies and procedures for its Medicaid Management Information System, interviewed staff and conducted a vulnerability assessment of network devices, websites, servers and databases.

The OIG concluded that although Maryland had adopted a security program for its Medicaid Management Information System, there were “numerous significant system vulnerabilities.”

“Although we did not identify evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of Medicaid data, as well as the disruption of critical Medicaid operations,” the report reads.

The OIG recommended Maryland improve its security program for Medicaid data in accordance with federal requirements. Maryland concurred with the recommendations and has taken steps to implement them, according to the report.

To download the OIG’s report, click here.