A four-decade-old computer system and poor safety measures at South Carolina's Medicaid agency exposed the personal health information of roughly 1 million residents to risk of cybertheft, according to a federal report released Friday.
The findings by HHS' Office of Inspector General include that the Medicaid agency did not — at the time of its evaluation in 2013 — have a security plan for its computer system, had no encryption for laptops and had not properly trained employees. The report purposefully did not give specifics.
Director Christian Soura said Thursday that his agency has already implemented the safeguards recommended by the report: "The good news for us is that we've taken action on every one of the findings."
The report notes inspectors found no evidence that any hacking of Medicaid data had occurred.
"Although we did not find evidence that anyone had exploited these weaknesses, exploitation could have resulted," the report said. "The weaknesses were collectively and, in some cases, individually significant and could have compromised the integrity of the state's Medicaid program."
That agency processed $5 billion in claims for 966,602 beneficiaries in 2012, the report states.
The federal review followed the massive hacking at South Carolina's Revenue Department, which involved information stolen from the electronically filed tax returns of 3.8 million adults and 700,000 businesses. The 74 gigabytes of stolen data included unencrypted Social Security numbers — of the adults and their 1.9 million dependents — and bank account numbers.
According to the inspector general's office, it chose South Carolina for review because of the fall 2012 cybercrime at Revenue, a breach earlier that year in the Medicaid agency and concerns about the nation's oldest computer system for paying Medicaid providers.
The state is in the process of replacing that system, which is between 35 and 40 years old. The new system is not expected to be operating until June 2018, said Soura.
The federal government, which is funding 90 percent of the cost, should receive formal plans in the coming weeks. Federal approval is required before the state's contract bidding process can start, he said.
The overhaul is expected to cost more than $100 million total.
Soura said improvements and training will be ongoing to deal with new security threats as technology changes.
In April 2012, a former project manager at his agency was arrested for compiling the data of more than 228,000 Medicaid recipients on a spreadsheet and sending it to his private email account. He was later sentenced to three years of probation and community service.
No one has been arrested for the Revenue hacking.