Skip to main content

Audit Finds Flaws in Information Systems of Three Medi-Cal Plans

By Doug Desjardins  
   December 15, 2015

The report from the Office of Inspector General did not disclose the names of the health plans for security reasons, but outlined 74 flaws and vulnerable areas in their information systems that need to be addressed, including data stored on flash drives and other devices that were not encrypted.

This article originally appeared in California HealthFax.

An audit conducted by the U.S. Department of Health and Human Services on three Medi-Cal health plan information systems found dozens of security problems that could potentially put patient data at risk.

The report from the Office of Inspector General did not disclose the names of the health plans for security reasons but outlined 74 flaws and vulnerable areas in their information systems that need to be addressed.

"We identified 74 high-risk security vulnerabilities in the information system general controls at three California Medi-Cal managed care organizations we reviewed," the report stated. The problems included data stored on flash drives and other devices that were not encrypted, anti-virus systems and software that were outdated, and passwords that were still active for workers no longer employed by the managed care plans.

The state Department of Health Care Services (DHCS) said it reviewed the study and is working with the health plans on corrective actions. "We have begun working with all three plans to correct the issues," said DHCS spokesperson Tony Cava. "At least one of these plans has already completed corrective work. DHCS expects to receive regular updates on the plans' progress toward fixing these vulnerabilities."

California providers have experienced a number of data breaches and suspected breaches in 2015. In early December, Cottage Health announced that the health data of nearly 11,000 patients may have been compromised. The problem was discovered when an outside security contractor was testing Cottage Health's information technology data systems and discovered that a server had been breached.

In a statement issued on its website, the Santa Barbara-based health system said a single server "was exposed between Oct. 26 and Nov. 8, 2015. Our investigation revealed that limited information of approximately 11,000 Cottage Health patients was exposed." The data that may have been breached included names, addresses, Social Security numbers, and "limited medical information such as diagnosis and procedure." Cottage Health is offering free identity theft protection to patients affected by the breach.

In July, UCLA Health System reported the potential breach of more than 4.5 million patient records. UCLA officials said they detected unusual activity on one of UCLA's computer servers and began investigating with help from the FBI. UCLA said there is currently no evidence that any data on the server was breached. Information on the server included patient names, Social Security numbers, and patient diagnoses and procedures.

Tagged Under:


Get the latest on healthcare leadership in your inbox.