Report Shows Identity Theft Risks at Centers for Medicare and Medicaid Services

The lessons involving the recent theft of laptop computers at the Veterans Administration have apparently been ignored by the Centers for Medicare and Medicaid Services (CMS). According to the General Accounting Office (GAO), its review of computer systems:

revealed 47 weaknesses in electronic access controls and other controls. A key reason for these weaknesses was that CMS did not always ensure the effective implementation of its security policies and standards. As a result, sensitive, personally identifiable, medical data traversing this network are vulnerable to unauthorized disclosure, and these weaknesses could lead to disruptions in CMS operations.

Such weaknesses involving sensitive patient data could expose patients who receive Medicare or Medicaid benefits to a heightened risk of identity theft or theft of personal information for other purposes.

Apparently the telephone giant AT&T maintains the computer network used by the CMS agency to transmit confidential and sensitive patient data to various government and private offices around the country.

CMS uses the network to transmit claims data — including patient names, dates of birth, Social Security numbers, addresses and medical information — to health-care facilities, contractors, financial institutions, and state Medicaid offices.

“A security breach in this communication network could lead to interruptions in the processing of medical claims or to unauthorized access to personally identifiable medical data, seriously diminishing the public’s trust in CMS’s ability to protect the sensitive beneficiary data it is entrusted with,” the GAO said in the report

Recent large-scale computer thefts involving government computers in the Veterans Administration and elsewhere exposed millions of people to the possibility of identity theft. Such incidents should have alerted other government agencies to computer security issues. Apparently, however, the directors at CMS agencies have just learned that they need to consider the risks of identity theft and prioritize data security more appropriately.