Report: 3 Medi-Cal Providers Had Data Risks

LOS ANGELES (AP) — Three Medi-Cal health providers risked having data stolen on thousands of patients because of security problems ranging from outdated anti-virus software to retaining the computer passwords of fired workers, according to a federal study released Tuesday.

The Department of Health and Human Services reviewed information system controls for three managed-care organizations from 2012 to 2015 and found 74 potentially high-risk vulnerabilities, according to a report from the inspector general's office.

The study didn't identify the three organizations for security reasons and didn't investigate whether the three organizations had suffered any data breaches.

"An important way to guard against medical identity theft that can result from an exposed data vulnerability is to closely monitor your health plan's explanation of benefits forms and personal credit reports from the three major credit reporting agencies," said Donald White, spokesman for the inspector general's office of the federal department.

California has 87 managed care organizations that serve 9.5 million Medi-Cal beneficiaries.

The federal findings "raise concerns about the integrity of the systems used to process Medicaid managed-care claims," but they don't necessarily mean all the organizations face the same vulnerabilities, the report said, because the organizations had "minor differences" in their information systems.

The report (PDF) didn't provide many explicit details, but it said it found problems with access, information storage and database security. For instance, the report said, one organization failed to properly encrypt health data on portable devices such as flash drives, and one organization didn't track and verify that it had "sanitized" or removed data from and disposed of flash drives and other devices.

One managed-care organization "did not disable user accounts for terminated employees in a timely manner," increasing the risk of an unauthorized person accessing the data, the report said.

Also, an organization failed to properly restrict access to inappropriate websites from its wireless network, according to the report.

The California Department of Health Care Services, which oversees managed-care organizations, "is committed to protecting the confidentiality of our members and the department appreciates OIG's work to identify these data vulnerabilities," spokesman Adam Weintraub said in a statement Tuesday.

"We have begun working with all three plans to correct the issues. At least one of the plans has already completed corrective work," Weintraub said. "DHCS expects to receive regular updates on the plans' progress toward fixing these vulnerabilities."

(Copyright 2015 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.)