OIG audit identifies information security gap in MCO system

The OIG has released the findings of an audit of Community Health Choice’s information security system used to process confidential Texas Health and Human Services (HHS) information.

Auditors determined that Community First complied with 13 out of 14 essential security controls, including but not limited to awareness and training, incident response, and risk assessment. However, the OIG also discovered that the MCO did not consistently maintain proper authentication of user accounts, including:

• Consistently ensuring that network and claims management accounts were disabled when users no longer required access.

• Enforcement of requirements for locking accounts when unsuccessful login attempts occurred.

• Enforce authentication requirements as required by HHS-Information Security controls. 

As an MCO with clients enrolled in Texas Medicaid and the Children’s Health Insurance Program, Community Health has access and storage rights to confidential system information. Additionally, the insurer may exchange this information with internal staff and external entities. To maintain confidentiality, Community Health is contractually required to manage the data in accordance with HHS Information Security Controls. 

Community Health officials have been briefed on the areas of concern and indicated they had implemented procedures to review and disable inactive or no longer needed accounts.  For the full audit, visit the OIG website.