The operators of Maryland's health insurance website did not appropriately safeguard certain sensitive personally identifiable information, according to a state audit released last week.
The state's review, conducted by the state Office of Legislative Audits, includes a fiscal compliance audit of the Maryland Health Benefit Exchange for the period beginning June 1, 2011 and ending July 23, 2014. Concurrently, the state conducted a performance audit of MHBE, which addresses processes employed and decisions made by MHBE prior to the Oct. 1, 2013 launch of the internet portal established for the health insurance marketplace. Maryland's exchange crashed shortly after the hurried October 2013 launch and was later rebuilt.
According to the state audit, MHBE:
- Did not make sure "certain sole source and emergency procurements were properly administered according to its policies."
- Did not verify certain vendor billings for hourly services were correct prior to payment, or verify entities receiving grants totaling $23.4 million during fiscal year 2014 appropriately spent those funds.
- Did not submit requests for federal fund reimbursement in a timely manner; lost interest income attributable to the delays is estimated at $199,000.
- Did not maintain adequate equipment inventory records or properly account for all equipment purchases. Much of the equipment purchases pertained to equipment bought before Oct. 1, 2013 for the original exchange system.
- Did not appropriately safeguard certain sensitive personally identifiable information and federal tax information in its replacement exchange system, which was implemented in November 2014, and did not ensure such information was properly secured.
- Did not properly restrict user access to the replacement exchange system network, application files and servers.
- Did not routinely obtain its review of certain documentation to substantiate vendor billings. Specifically, officials found MBHE made payments totaling $8.2 million to vendors for hourly services without first obtaining payroll and time records to verify that the labor charges billed were proper.
In response to the audit, health exchange officials said auditors in some cases misinterpreted spending policies, according to a report from The Washington Post.
While officials did not encrypt information for more than 500,000 people who used the exchange due to time constraints, the exchange said it did take other steps to safeguard consumers' names, dates of birth and Social Security numbers, according to the report. The exchange also noted the audit found no evidence of data breaches.
Auditors said the state took other measures earlier this year to shield access to data, and those measures have successfully addressed the audit's privacy recommendations, according to The Washington Post.
In a statement, the exchange said it had "made significant progress since the audit period that ended more than a year ago."
Another report examining the management of the exchange project leading up to its launch is expected to be released at a later time.
More articles on health IT:
15 criticisms on the lack of EHR interoperability from an AHA report
3 key focus points for Cerner's annual meeting
4 keys to improving clinical efficiency