Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Public Summary Report: Information Technology Control Weaknesses Found in the New Mexico Human Services Department's Medicaid Eligibility Systems

Issued on  | Posted on  | Report number: A-06-16-05000

Report Materials

This summary report provides an overview of the results of our audit of the information system general controls over the New Mexico Medicaid eligibility systems. It does not include specific details of the vulnerabilities that we identified because of the sensitive nature of the information. We have provided more detailed information and recommendations to New Mexico so that it can address the issues we identified. The findings listed in this summary report reflect a point in time regarding system security and may have changed since we reviewed these systems.

New Mexico had not adequately secured its Medicaid data and information systems in accordance with Federal requirements. Although New Mexico adopted a security program for its eligibility systems, we identified system vulnerabilities that potentially placed New Mexico's operations at risk. These vulnerabilities existed because New Mexico had not implemented sufficient controls over its Medicaid data and information systems.

Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to, and disclosure of, sensitive information, as well as in disruption of New Mexico's critical operations. As a result, the vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the confidentiality, integrity, and availability of New Mexico's eligibility systems.

We recommended that New Mexico implement our detailed recommendations to address the findings we identified in its eligibility system security program. In written comments on our draft report, New Mexico stated that it concurred with all of our findings and described corrective actions that it had taken or plans to take. However, New Mexico did not concur with one of our recommendations and described a compensating control and that they elected to accept all risks related to the control.

Report Type
Audit
HHS Agencies
Centers for Medicare and Medicaid Services
Issue Areas
-
Target Groups
-
Financial Groups
-

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.