Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Beta This is a new resource

Series: Penetration Tests of State Medicaid Management Information Systems and Eligibility & Enrollment Systems

Announced on  | Last Modified on  | Series Number: W-00-24-42028
Status
Completed
Agency
Centers for Medicare and Medicaid Services

OBJECTIVE

State Medicaid agencies use the Medicaid Management Information System (MMIS) for administrating the Medicaid program; processing beneficiary and provider inquiries and services; operating claims control and computer capabilities; and managing reporting for planning and control. State Medicaid Eligibility & Enrollment (E&E) systems support processes related to a determination of Medicaid coverage and required procedures necessary for registration. State agencies are responsible for the security of MMIS and E&E systems.HHS OIG will perform a series of penetration tests in select State MMIS or Medicaid E&E environments to identify cybersecurity vulnerabilities on high-risk information systems and networks.

There are 7 projects in this series.

COMPLETED PROJECTS IN THIS SERIES (7)

Summary Report of Prior Office of Inspector General Penetration Tests of 10 State MMIS and E&E Systems

Project A-18-24-00002 Completed on October 10, 2025

Illinois

Project A-18-22-09009 Completed on August 15, 2024

Penetration Testing of the State of Alabama's Medicaid Management Information System and Enrollment and Eligibility Systems

Project A-18-22-09010 Completed on March 28, 2024

South Carolina

Project A-18-22-09005 Completed on March 15, 2024

Utah

Project A-18-21-09001 Completed on March 15, 2024

South Dakota

Project A-18-21-09004 Completed on October 18, 2023

Maryland

Project A-18-21-09003 Completed on May 25, 2023

TIMELINE

  • November 8, 2020
    Series Number W-00-24-42028 Assigned
  • November 8, 2020
    Project Announced

    Utah - A-18-21-09001

  • March 15, 2021
    Projects Announced

    Maryland - A-18-21-09003

  • South Dakota - A-18-21-09004

  • December 6, 2021
    Project Announced

    South Carolina - A-18-22-09005

  • May 2, 2022
    Project Announced

    Illinois - A-18-22-09009

  • June 6, 2022
    Project Announced

    Penetration Testing of the State of Alabama's Medicaid Management Information System and Enrollment and Eligibility Systems - A-18-22-09010

  • May 25, 2023
    Project Complete - A-18-21-09003

    Maryland has been marked as complete. This audit resulted in 4 recommendations.

  • October 18, 2023
    Project Complete - A-18-21-09004

    South Dakota has been marked as complete. This audit resulted in 1 recommendation.

  • March 15, 2024
    Project Complete - A-18-21-09001

    Utah has been marked as complete. This audit resulted in 2 recommendations.

  • March 15, 2024
    Project Complete - A-18-22-09005

    South Carolina has been marked as complete. This audit resulted in 1 recommendation.

  • March 28, 2024
    Project Complete - A-18-22-09010

    Penetration Testing of the State of Alabama's Medicaid Management Information System and Enrollment and Eligibility Systems has been marked as complete. This audit resulted in 5 recommendations.

  • May 30, 2024
    Project Announced

    Summary Report of Prior Office of Inspector General Penetration Tests of 10 State MMIS and E&E Systems - A-18-24-00002

  • August 15, 2024
    Project Complete - A-18-22-09009

    Illinois has been marked as complete. This audit resulted in 3 recommendations.

  • October 10, 2025
    Project Complete - A-18-24-00002

    Summary Report of Prior Office of Inspector General Penetration Tests of 10 State MMIS and E&E Systems has been marked as complete. Report Published

  • October 10, 2025
    Series Complete

    Penetration Tests of State Medicaid Management Information Systems and Eligibility & Enrollment Systems has been marked as complete.

7 REPORT PUBLISHED

Utah MMIS and E&E System Had Adequate Security Controls In Place, but Improvements Are Needed (A-18-21-09001)

24-A-18-048.01 to CMS - Closed Implemented
Closed on 02/03/2025
We recommend that the Utah Department of Health remediate the remaining three security control findings identified by OIG.

24-A-18-048.02 to CMS - Closed Implemented
Closed on 02/03/2025
We recommend that the Utah Department of Health revise flaw remediation procedures such that they fully implement the flaw remediation requirements defined in the CMS Acceptable Risk Safeguards (ARS), SI-02 Flaw Remediation (High; Moderate; Low) control.

View in Recommendation Tracker

Maryland MMIS and E&E System Security Controls Were Partially Effective and Improvements Are Needed (A-18-21-09003)

23-A-18-078.01 to CMS - Closed Implemented
Closed on 12/17/2024
We recommend that the Maryland Department of Health remediate the seven control findings OIG identified.

23-A-18-078.02 to CMS - Closed Implemented
Closed on 06/20/2024
We recommend that the Maryland Department of Health assess the effectiveness of all required NIST SP 800-53 controls according to the organization's defined frequency.

23-A-18-078.03 to CMS - Closed Implemented
Closed on 06/20/2024
We recommend that the Maryland Department of Health assess at least annually and if necessary, adjust baseline configurations for its MMIS and E&E public servers.

23-A-18-078.04 to CMS - Closed Implemented
Closed on 12/17/2024
We recommend that the Maryland Department of Health perform periodic phishing exercises and enhance employee and contractor cybersecurity awareness training based on the results of the phishing exercises, if needed.

View in Recommendation Tracker

South Dakota MMIS and E&E System Security Controls Were Partially Effective and Improvements Are Needed (A-18-21-09004)

24-A-18-005.01 to CMS - Closed Implemented
Closed on 09/24/2025
We recommend that the South Dakota Department of Social Services remediate the six control findings OIG identified.

View in Recommendation Tracker

South Carolina MMIS and E&E System Security Controls Were Adequate, but Some Improvements Are Needed (A-18-22-09005)

24-A-18-049.01 to CMS - Open Unimplemented
Update expected on 04/02/2026
We recommend that the SCDHHS remediate the remaining two control findings (SI-10 and SC-8) in accordance with government standards and periodically test the effectiveness of these controls.

View in Recommendation Tracker

Illinois MMIS and E&E System Had Adequate Security Controls in Place, but Some Improvements Are Needed (A-18-22-09009)

24-A-18-097.01 to CMS - Open Unimplemented
Update expected on 06/02/2026
We recommend that the Illinois Department of Healthcare and Family Services remediate the four security control findings identified by OIG.

24-A-18-097.02 to CMS - Open Unimplemented
Update expected on 06/02/2026
We recommend that the Illinois Department of Healthcare and Family Services develop and implement flaw remediation policies and procedures for effectively identifying vulnerabilities, prioritizing them based on potential impact and exploitability, and remediating them within a defined timeframe as required by NIST SP 800-53, SI-2, Flaw Remediation, or other standards governing security of Federal systems and information.

24-A-18-097.03 to CMS - Open Unimplemented
Update expected on 06/02/2026
We recommend that the Illinois Department of Healthcare and Family Services enhance its testing procedures to include performing more robust technical testing of web-facing systems and emulation of an adversary's tactics and techniques on a defined reoccurring basis, in order to better assess the effectiveness of NIST SP 800-53 controls.

View in Recommendation Tracker

Alabama MMIS and E&E System Security Controls Were Adequate, but Some Improvements Are Needed (A-18-22-09010)

24-A-18-056.01 to CMS - Closed Implemented
Closed on 10/16/2025
We recommend that the Alabama Medicaid Agency remediate the six control findings OIG identified.

24-A-18-056.02 to CMS - Closed Implemented
Closed on 10/04/2024
We recommend Alabama evaluate its current vulnerability scanning tools and update if necessary in order to better detect system flaws (e.g., common web server vulnerabilities) in its MMIS and E&E system and software components.

24-A-18-056.03 to CMS - Closed Implemented
Closed on 10/16/2025
We recommend Alabama require its developers to follow secure coding standards and best practices, at a minimum, such as those recommended by NIST SP 800-218 or the Open Web Application Security Project (OWASP), when developing web applications.

24-A-18-056.04 to CMS - Open Unimplemented
Update expected on 04/16/2026
We recommend Alabama implement procedures to periodically verify that its developers are adhering to secure coding standards and remediating vulnerabilities before releasing code to production.

24-A-18-056.05 to CMS - Open Unimplemented
Update expected on 04/16/2026
We recommend Alabama perform more robust technical testing of web-facing systems that includes the emulation of an adversary's tactics and techniques on a defined reoccurring basis in order to better assess the effectiveness of NIST 800-53 controls.

View in Recommendation Tracker

Summary Report of Prior Office of Inspector General Penetration Tests of 10 State MMIS and E&E Systems (A-18-24-00002)

Overall, we found that:

  • the 10 States implemented generally effective information technology security controls for their web-facing MMIS and E&E systems to prevent unsophisticated or limited cyberattacks, but they need to continue to improve these controls to prevent more sophisticated and persistent cyberattacks;
  • cyber attackers would likely need a moderate to significant level of sophistication or complexity to compromise the State systems we audited; and
  • the 10 States effectively detected and responded to some of our simulated cyberattacks but they need to improve their detection and response to other types of cyberattacks.
No recommendations were issued as a part of this report.
Work Plan Type
Office of Audit Services
HHS Agencies
Centers for Medicare and Medicaid Services
Issue Areas
Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Medicaid