This summary report provides an overview of the results of our audit of the information security controls over Virginia's Medicaid Management Information System (MMIS). It does not include specific details of the vulnerabilities that we identified because of the sensitive nature of the information. We determined that Virginia did not adequately secure its Medicaid data and information systems in accordance with Federal requirements. Virginia had adopted a security program for its MMIS, but numerous significant system vulnerabilities remained. We have provided more detailed information and recommendations to Virginia so that it can address the issues we identified. The findings listed in this summary report reflect a point in time regarding system security and may have changed since we reviewed these systems.
VA
United States
