HHS report says State Medicaid systems show gaps in cybersecurity defense

A federal audit reveals that state Medicaid systems are vulnerable to advanced cyber threats and require stronger security controls.

What happened

A series of penetration tests commissioned by the Department of Health and Human Services’ Office of Inspector General (HHS-OIG) found that several state-run Medicaid systems are vulnerable to sophisticated cyberattacks. The tests, carried out between 2020 and 2022 by a third-party firm, focused on Medicaid Management Information Systems (MMIS) and Eligibility & Enrollment (E&E) platforms, tools used by states to manage healthcare benefits and patient data.

The tests were prompted by an increase in attacks against these systems. While some controls were effective against basic threats, the audit revealed that more advanced and persistent threats could bypass current defenses. Simulated phishing tests also exposed training gaps among staff.

Going deeper

The MMIS and E&E platforms are attractive targets for cybercriminals due to the vast amounts of sensitive data they contain, including medical records and eligibility information. Between 2012 and 2023, at least six states experienced major breaches. Notable examples include:

• Texas: 1.8 million individuals affected
• Utah: 780,000 Medicaid recipients affected
• South Carolina: 228,000 affected

Ten jurisdictions were assessed in the audit: Alabama, Illinois, Maryland, Massachusetts, Michigan, Minnesota, South Carolina, South Dakota, Utah, and Puerto Rico. While each had some degree of protection, the tests revealed recurring issues in critical NIST-recommended areas: input validation, encryption settings, flaw remediation, and error handling.

The root causes were often tied to insufficient developer awareness of security standards, failure to secure third-party components, and delays in identifying and patching vulnerabilities.

What was said

HHS-OIG issued 27 recommendations for strengthening cybersecurity across the audited states. Common recommendations included:

• Patching outdated servers
• Enhancing vulnerability detection
• Improving server configuration and protocol support
• Conducting regular evaluations of existing controls
• Updating cryptographic standards and practices

States have acknowledged the findings, with some already beginning to implement corrective actions.

The big picture

According to TechTarget, the OIG report found that many state Medicaid systems failed to implement secure coding and maintenance practices that meet federal standards. “Developers or contractors were not aware of government standards or industry best practices that require them to adhere to secure coding practices and identify and resolve flaws in systems before deploying to production,” the report said. Some states also used outdated third-party libraries and plugins, delaying detection and remediation of vulnerabilities. The OIG warned that “ineffective implementation of security controls in some State MMIS and E&E systems may lead to exploitation of vulnerabilities by malicious actors or insiders,” adding that these lapses “significantly increase the likelihood of successful cyberattacks and gaining unauthorized access to sensitive information.”

FAQs

What is the MMIS, and why does it matter?

The Medicaid Management Information System (MMIS) is a federally required platform that states use to manage Medicaid claims, eligibility, and provider data. It processes and stores vast amounts of sensitive personal and health information.

How do NIST controls relate to Medicaid systems?

The National Institute of Standards and Technology (NIST) publishes security control guidelines used to assess and improve cybersecurity. The HHS-OIG audit found that many of these recommended controls were either missing or ineffective in MMIS and E&E systems.

What’s the difference between an unsophisticated and sophisticated cyberattack?

Unsophisticated attacks may rely on known vulnerabilities or poor passwords. Sophisticated attacks often involve advanced malware, custom exploits, or prolonged access that evades detection, posing a much greater threat to data integrity and system uptime.

Why were phishing simulations included in the test?

Phishing remains one of the most common entry points for attackers. Testing whether staff can recognize and avoid phishing emails helps assess the effectiveness of cybersecurity awareness training within agencies.

What part do third-party tools play in these vulnerabilities?

Many states use third-party plug-ins, libraries, or software components that may not be properly secured or updated. These can introduce new vulnerabilities into otherwise secure systems if not assessed and managed regularly.