Federal Reports

The Minnesota's Health Insurance Marketplace (MNsure) had implemented security controls, policies, and procedures intended to prevent vulnerabilities in its Web applications (Web site), database, and other supporting information systems. However, it did not always comply with Federal and State information technology requirements when it implemented those security controls, policies, and procedures, which increased MNsure's risk that personally identifiable information (PII) could have been exposed. We conducted tests of MNsure's Web site, database, and supporting information systems and found weaknesses in MNsure systems. Although we did not identify evidence that the vulnerabilities had been exploited, exploitation could have resulted in unauthorized access to and disclosure of PII, as well as disruption of critical marketplace operations. The vulnerabilities were collectively and, in some cases, individually significant and could have potentially compromised the integrity of the marketplace.

Although the California Department of Health Care Services (State agency) made Medicaid electronic health record (EHR) incentive program payments to eligible hospitals, it did not always make these payments in accordance with Federal requirements. Specifically, from October 1, 2011, through December 31, 2015, the State agency made incorrect Medicaid EHR incentive payments to 61 of the 64 hospitals reviewed, totaling $23.2 million. These incorrect payments included both overpayments and underpayments, resulting in a net overpayment of $22 million. Because the incentive payment is calculated once and then paid out over 4 years, payments made after December 31, 2015, will also be incorrect. The adjustments to these payments total $6.3 million.

Environmental Operations (EO) is responsible for the environmental site and field support for all operations, including inspections, environmental sampling, regulatory reporting, and oversight. The OIG assessed strengths and risks that could affect EO's organizational effectiveness. Our review identified strengths in EO related to (1) organizational alignment, (2) positive work relationships with other organizations, (3) management support of employees, and (4) employee teamwork. However, we also identified issues that, if left unresolved, could increase the risk EO will be unable to effectively meet its responsibilities in the future. Specifically, our interviews of EO personnel and review of operational information disclosed issues related to (1) role clarity and relationship issues with Nuclear, (2) staffing concerns and environmental audit coverage, and (3) concerns with one manager's behavior.

In September 2016, we issued a Management Information Report that informed the Department of our concerns regarding how the FSA ID and the Personal Authentication Service were being misused by commercial third parties to take over borrower accounts. The OIG identified this problem through various investigations and developed recommendations to address the misuse. Our report recommended changes to strengthen the banner language for the FSA ID and Personal Authentication Service to enhance the OIG's ability to successfully investigate and prosecute third parties who improperly create, access, or make changes to FSA IDs and accounts. The report also recommended that FSA increase its proactive monitoring of FSA IDs and Personal Authentication Service audit logs and ensure that it proactively monitors the types of abuses identified.