OIG performed a vulnerability assessment scan to determine if there were existing vulnerabilities on the MMIS (Medicaid Management Information System) network, devices, websites and database. And while OIG officials found the state adopted a security program for the system, there were “significant system vulnerabilities.”
Officials did not disclose details of the vulnerabilities found, but said that they were significant enough to "have allowed unauthorized access and exposed Medicaid data and the disruption of critical Medicaid operations.”
The State said there was no evidence of a breach or unauthorized access. And, while a security program was in place, the control were not sufficient to keep the systems protected. Recommendations were made to the state to update the security program and systems to meet federal requirements.