Public Summary Report: Information Technology Control Weaknesses Found at the Commonwealth of Massachusetts' Medicaid Management Information System

The Massachusetts Medicaid program (MassHealth) did not safeguard Medicaid Management Information System (MMIS) data and supporting systems in accordance with Federal requirements. Specifically, MassHealth had vulnerabilities related to security management, configuration management, system software controls, and Web site and database vulnerability scans.

Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could result in unauthorized access to, and disclosure of, sensitive information, as well as disruption of operations critical to MassHealth. As a result, the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity, and availability of MassHealth's MMIS. These vulnerabilities existed because MassHealth did not implement sufficient controls over its Medicaid data and information systems.

We recommended that MassHealth implement our detailed recommendations to address the findings that we identified related to security management, configuration management, system software controls, and Web site and database vulnerability scans. Because of the sensitive nature of our findings, we have not listed the detailed recommendations in this summary report.