Federal investigators say they have found serious computer-security flaws that could lead to the improper disclosure of medical information on people enrolled in Medicare and Medicaid. The investigators, from the Government Accountability Office, said “key information security controls were missing” from a huge communication network used by the federal Centers for Medicare and Medicaid Services, the New York Times reported today.
As a result, they said, personally identifiable information “could be improperly modified, disclosed or deleted.” Moreover, the report said, “these weaknesses could lead to disruptions in services” to millions of beneficiaries.
The network is used to pay claims and to communicate with state Medicaid agencies, health care providers and many private contractors.
Dr. Mark McClellan, administrator of the Centers for Medicare and Medicaid Services, said none of the flaws had led to “actual security breaches.” He said he is taking steps to fix the problems.
But the GAO said Medicare officials would not necessarily know whether a security breach had occurred because they had no “audit trail” to document use of the computer network or a reliable way to detect intrusions into their computers.
Without an audit trail to track past accesses, it’s unclear whether or not a breech has occurred in the past. Medicare and Medicaid patients should be especially cautious with sharing personal information, and should review their credit reports regularly for signs of identify theft or possible abuse.