Audit: N.J. Medicaid data not secure

May 1, 2008 6:30:41 AM PDT
New Jersey has not monitored access to key personal information in a computer system that tracks care for the poor, leaving no way to know if Social Security numbers and other information about doctors and patients have been misused, a recent state audit found.

The analysis determined that the state Department of Human Services lacks appropriate security policies and procedures for the computer system it uses to process claims for more than 1 million New Jersey Medicaid patients.

The department, according to the analysis, fails to properly monitor access to information such as Social Security and tax identification numbers, Drug Enforcement Agency numbers used to write drug prescriptions, and birth dates.

The April 24 audit by the Office of the State Auditor stated that the lack of monitoring makes it impossible to determine whether an employee is "accessing personally identifiable information for fraudulent purposes."

The audit cited no examples of improper activity but recommended the department log access to sensitive personal information.

"While we realize the undertaking will take a substantial amount of time and effort, the sensitivity of the personally identifiable information certainly demands the attention," the audit stated.

The audit is the third in recent weeks to criticize New Jersey's $9 billion Medicaid program, which is jointly funded by the state and federal government and pays for health care for the poor, elderly, disabled and low-income families with children.

Other audits found people earning as much as $295,000 enrolled in the program and questionable medical equipment purchases.

Senate Budget Chairwoman Barbara Buono, D-Middlesex, said she is disturbed the program is not recording who views sensitive information.

"Certainly there are models in the finance industry, the health industry, the defense industry networks that rely on mechanisms to protect against hackers and unauthorized users," Buono said. "It just seems to me to make eminently more sense to at least track the people who use the system to see if they're using it properly."

She said state taxation officials, for instance, track who views personal records.

"We know that it can be done," Buono said.

In a written response to the audit, John Guhl, the state's Medicaid director, said all employees take training in federal requirements for personal health information.

But he wrote even the best procedures would not guarantee security and said he believes "the current security provisions are adequate."

"As indicated by the auditors, the implementation of this recommendation would require substantial time and effort," Guhl wrote. "This cost would be continuous as resources and time would be needed to monitor and maintain this function."

He told senators during a recent budget hearing that employees cannot access the entire system, only the areas in which they work. He said supervisors know what employees logged into the system and when but not what record was viewed.