Inadequate Security Management Practices Left Utah Department of Health Sensitive Medicaid Data at Risk of Unauthorized Disclosure

The Utah Department of Technology Services' management had not established an effective enterprise security control structure to ensure that adequate information system general controls were implemented in conformance with Federal requirements over the systems used to support the Utah Department of Health's Medicaid eligibility determination and claims processing. These inadequate security management practices put Medicaid systems and data at risk.

We identified 39 high-impact, reportable weaknesses during our earlier comprehensive information system general controls audit of the systems used to support the Utah Department of Health's Medicaid eligibility determination and claims processing.

In written comments on our draft report, the auditee concurred with our recommendations and described corrective actions that it had taken or planned to take.