A new audit criticizes the Florida Agency for Health Care Administration and a contractor for failing to properly control access to computer systems that include sensitive information about Medicaid beneficiaries.
Workers had wider access to the computer systems than they needed to do their jobs --- and, in some cases, did not have their access quickly shut off when they left jobs, according to findings released Thursday by the Florida Auditor General's Office.
Also, 17 database administrators shared generic user IDs, making it difficult to track people's activities and to hold them accountable, auditors said.
The audit says the Medicaid program is "highly dependent on the security, integrity and proper functioning'' of the computer systems to make sure there is accurate payment of Medicaid benefits and to report information for federal oversight.
Also, the systems include information such as Medicaid beneficiary names, dates of birth, social-security numbers and medical services received. The audit describes effective information-technology controls as "critical.''
"These control issues limit the agency's assurance of the security and reliability of Medicaid program data and the agency's accountability over the Medicaid program,'' an audit summary says.
In a written response to the audit, the Agency for Health Care Administration acknowledges the issues and lists a series of steps aimed at fixing problems. As an example, it says contractor HP Enterprise Services LLC will do a thorough review and make changes by Dec. 31 to try to ensure workers have the proper levels of access to the systems.
The agency, however, indicated it had approved the arrangement in which 17 people share user IDs. It described those people as a "core HP team of 'floaters,' who are assigned to various state accounts on temporary bases to assist with additional or 'expert' coding and testing.''
The audit focuses on what are known as the Florida Medicaid Management Information System and the Decision Support System.
The Florida Medicaid Management Information System is used to enroll and reimburse health-care providers and to process claims. Data from that system goes into the Decision Support System for reporting and analysis.
HP Enterprise Services, which is the Medicaid program's fiscal agent, developed and operates the systems, according to the audit.
The audit does not indicate whether holes in controlling access to the systems have led to breaches of information. One section, however, refers to problems in certain security controls --- but declines to discuss details because of the possibility of compromising AHCA data and other information.
"Without adequate security controls in the areas of user authentication, session controls and logging of system activity, the confidentiality, integrity and availability of data and IT resources may have been compromised, increasing the risk that Agency data and IT resources may have been subject to improper disclosure, modification, or destruction,'' the audit says.
Capital Bureau Chief Jim Saunders can be reached at 850-228-0963 or by e-mail at jim.saunders@healthnewsflorida.org.