By ROBERT PEAR
October 8, 2006
WASHINGTON, Oct. 7 Federal investigators say they have found serious
computer security flaws that could lead to the improper disclosure of
sensitive medical information on people enrolled in Medicare and
In a new report, the investigators, from the Government Accountability
Office, said key information security controls were missing from a huge
communication network used by the federal Centers for Medicare and
As a result, they said, sensitive, personally identifiable information
could be improperly modified, disclosed or deleted. Moreover, the report
said, these weaknesses could lead to disruptions in services to millions
of Medicare and Medicaid beneficiaries.
The network is used to pay claims and to communicate with state Medicaid
agencies, health care providers and many private contractors.
Dr. Mark B. McClellan, administrator of the Centers for Medicare and
Medicaid Services, said none of the flaws had led to actual security
breaches. Dr. McClellan said he was taking steps to fix the problems.
But the G.A.O. said Medicare officials would not necessarily know if a
security breach had occurred because they had no audit trail to document
use of the computer network, or a reliable way to detect intrusions into
In their report, the investigators described several problems:
The potential for unauthorized users to gain access to the agencys
computers because of a lack of strict password controls. Passwords are
often so simple that outsiders can guess them.
Medicare and Medicaid data not being encrypted. This could allow an
attacker to view medical information on beneficiaries.
A failure to keep complete records of who uses the network, so it cannot
be determined who views or modifies files.
Senator Charles E. Grassley, Republican of Iowa, who requested the
investigation, said Medicare officials needed to get on top of these
?Beneficiaries not only rely on Medicare for their health care coverage,
said Mr. Grassley, chairman of the Finance Committee, which oversees
Medicare and Medicaid, they expect that the private information they
entrust to the government is kept private, safe and secure.
Concern about computer security has increased since May, when the
Department of Veterans Affairs reported a laptop computer with personal
information on millions of veterans had been stolen from the home of an
Dr. McClellan said, We are very concerned about the specific control
weaknesses identified in the latest report. The computer network carries
immense amounts of data with personal information on beneficiaries,
including name, sex, date of birth, Social Security number and home
address. The network also transmits medical and financial information,
showing the diagnosis of a patients illness, prescriptions, names of
doctors and hospitals, services provided and the amounts paid.
Daniel R. Levinson, the inspector general at the Department of Health
and Human Services, and his predecessors have expressed concern about
weaknesses in Medicare computer security. The weaknesses could
ultimately result in unauthorized disclosure of sensitive information,
improper Medicare payments or disruption of critical operations, Mr.
Levinson warned last year.
The computer network connects the Centers for Medicare and Medicaid
Services with banks, insurance companies, hospitals, nursing homes,
health plans, other federal agencies and private contractors that pay
claims for the government.
Medicare paid more than 1.1 billion claims last year. The size of its
computer network and the number of transactions increased this year with
the addition of a prescription drug benefit. The new program fills more
than three million prescriptions a day. Insurers must file detailed data
on each transaction.
In June, Medicare officials warned Humana after a company employee left
personal information on 17,000 Medicare beneficiaries unsecured on a
hotel computer in Baltimore.
The Bush administration is encouraging adoption of electronic health
records and is urging doctors to send prescriptions electronically to
drugstores. It is also asking beneficiaries to keep track of their
health information, including Medicare claims and prescriptions, by
using a new online service at www.MyMedicare.gov. In fine print, the
government says it does not warrant the accuracy of information on the
Copyright 2006 The New York Times Company
Donate online for the Ron Santo Walk to Cure Diabetes!