Public Summary Report: Virginia Did Not Adequately Secure Its Medicaid Data

This summary report provides an overview of the results of our audit of the information security controls over Virginia's Medicaid Management Information System (MMIS). It does not include specific details of the vulnerabilities that we identified because of the sensitive nature of the information. We determined that Virginia did not adequately secure its Medicaid data and information systems in accordance with Federal requirements. Virginia had adopted a security program for its MMIS, but numerous significant system vulnerabilities remained. We have provided more detailed information and recommendations to Virginia so that it can address the issues we identified. The findings listed in this summary report reflect a point in time regarding system security and may have changed since we reviewed these systems.

Although we did not identify evidence that anyone had exploited these vulnerabilities, exploitation could have resulted in unauthorized access to and disclosure of Medicaid beneficiary data, as well as the disruption of critical Medicaid operations. These vulnerabilities were collectively and, in some cases, individually significant and could have compromised the integrity of Virginia's Medicaid program.

We recommended Virginia improve its Medicaid security program to secure Medicaid data and information systems in accordance with Federal requirements, provide adequate oversight to its contractors, and address the vulnerabilities identified during our audit.