GAO Warns Medicare, Medicaid Data At Risk

Federal security auditors said Tuesday that nearly four dozen lapses in government computer systems have left millions of elderly and poor Americans at risk to criminals accessing their medical and personal records.

Systems used by the Centers for Medicare and Medicaid Services (CMS), which oversees the federally-funded health insurance claims and billing that impact 1 in 4 Americans, suffer from 47 separate security weaknesses, the Government Accountability Office (GAO) said in a report released Tuesday.

The CMS's network is privately owned and operated by a contractor, who hasn't always followed federal security guidelines, the GAO charged. Nor has the CMS followed through with the contractor to make sure it's adequately protecting data. "As a result, sensitive, personally identifiable, medical data traversing this network are vulnerable to unauthorized disclosure," claimed the GAO.

Among the lapses GAO spotted were such practices as not limiting access to authorized personnel and failing to encrypt data stored on the network or as it's transmitted across the network. The CMS network is regularly used, for example, to transfer data between the Medicare and Medicaid programs and private health providers. That data typically includes name, sex, date of birth, Social Security number, mailing address, patient diagnosis, prescribed drug, and physician's name.

In a formal response to the GAO's report, CMS administrator Mark McClellan said that the contractor has already fixed 22 of the 47 cited weaknesses, but that some -- perhaps as many as 17 -- won't be fixed until January 2007 at the earliest.

He also downplayed the threat. "The GAO found no evidence that confidential or sensitive information had actually been compromised, and our analysts found no instances where beneficiary information had actually been exploited."

The GAO report, which is in PDF form, can be downloaded from the federal government's Web site.