WASHINGTON — Security weaknesses have left millions of elderly, disabled and poor Americans vulnerable to unauthorized disclosure of their medical and personal records, federal investigators said Tuesday.
The Government Accountability Office said it discovered 47 weaknesses in the computer system used by the Centers for Medicare and Medicaid Services to send and receive bills and to communicate with health care providers.
The agency oversees health care programs that benefit one in every four Americans. Its massive amount of data is transmitted through a computer network that is privately owned and operated.
However, CMS did not always ensure that its contractor followed the agency's security policies and standards, according to the GAO report released Tuesday.
"As a result, sensitive, personally identifiable medical data traversing this network are vulnerable to unauthorized disclosure," the federal investigators said. "And these weaknesses could lead to disruptions in CMS operations."
Mark McClellan, administrator for the Centers for Medicare and Medicaid Services, said the agency was working to address problems cited in the report but noted the GAO "found no evidence that confidential or sensitive information had actually been compromised."
"Security of our beneficiaries' data is paramount and we appreciate GAO's assistance in identifying important opportunities for the contractor to strengthen network security," he said.
In the past year, security breaches have led to closer scrutiny of how government agencies maintain sensitive information about the people they serve. The most notable example was the theft of a laptop computer from a Veterans Affairs employee, which contained personal data on about 26.5 million people. The laptop was later recovered. Its contents had not been accessed or copied.
But the theft put a scare into many veterans and prompted calls for major changes in how government records with personal information are secured.
The network handling Medicare claims transmits extremely personal information, such as a patient's diagnosis, the types of drugs the patient takes, plus the type of treatment facility they visited, including treatment centers for substance abuse or mental illness.
In addition, claims data contains personally identifiable information such as Social Security numbers, addresses and dates of birth, the investigators said.
The investigators and CMS emphasized that the report focuses solely on the transmission of data. The auditors did not evaluate security controls for the servers used to store patient data.
That's an important distinction because "intercepting or compromising information during transit across the network would be difficult," McClellan said.
The report does not name the contractor that oversees the data transmissions.
Sen. Charles Grassley, R-Iowa, expressed dismay over the audit's findings and said Medicare and Medicaid officials need to respond quickly.
"Program officials need to get on top of these shortcomings immediately," said Grassley, chairman of the Senate Finance Committee. "Beneficiaries and providers expect that sensitive health information is protected, and it's up to the agency officials to ensure the system is secure."
According to the audit, other weaknesses included:
- Inadequate ability to identify and authenticate the users managing the network.
- Insufficient control of network access and privileges.
- Inadequate controls to protect the network from external attacks.
- Inadequate audit trails to determine the source of any transaction within the network.
CMS officials said they have already corrected 22 of the 47 weaknesses cited by auditors. Another 19 weaknesses were scheduled to be resolved soon, and the remaining six were under review to determine what additional resources were needed.
Copyright 2006 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.