Audit Hints At Lax Security in State Adoption Files | Eastern North Carolina Now

    Publisher's note: The author of this post is Dan Way, who is an associate editor for the Carolina Journal, John Hood Publisher.

Inappropriate information sharing possible, though DHHS says measures to protect sensitive materials are in place


    RALEIGH     The Office of State Auditor has renewed warnings about lack of security regarding access to sensitive material in the state Department of Health and Human Services' information systems, but that audit finding was overlooked amid the report of $835 million in questionable Medicaid spending documented in the same audit, released April 4.

    The audit also disparaged DHHS for failing to conduct neglect and sexual abuse background checks on prospective parents in the North Carolina Adoption Assistance program.

    It is uncertain if social services recipients' personal information was at risk of being obtained improperly or illegally, or if such information breaches already have occurred.

    Auditors raised concerns about the Supplemental Nutrition Assistance Program, Special Supplemental Nutrition Program for Women, Infants and Children, vocational rehabilitation services, Medicaid, and the Children's Health Insurance Program.

    In each instance, the auditors wrote: "These deficiencies regard security, which due to their sensitivity, are reported to the Department by separate sensitive letter. Pursuant to North Carolina General Statute 132-6.1(c), the sensitive letter including your responses will not be publicly released."

    And in each instance DHHS replied:

  • "The department has designed and/or implemented corrective actions to address the risks identified in this audit. These corrective actions have been detailed in a response separately submitted to the state auditor. Security risks are given the highest priority by the department and corrective actions will be monitored by senior leadership."

    The issues "could vary in types of security findings," Alexandra Lefebvre, a DHHS spokeswoman, said when asked whether the security concerns involved hacking vulnerabilities. She referred to the audit's citation of a state statute regarding secrecy for not giving a more detailed answer.

    "You could also reach out to the state auditor for details on the language they used in these sections, although, I believe the content would still be confidential," Lefebvre said.

    "Our IT group says these are questions better answered by [DHHS] since they are the custodians of this data," said Bill Holmes, a spokesman in the Auditor's Office. "They consider discussion of these security matters a breach of confidentiality since they were communicated in the 'sensitive' letter."

    "My guess is they're inappropriately sharing personal information" among employees at DHHS, said Josh Archambault, senior fellow at the Florida-based Foundation for Government Accountability, who analyzes health care policy at the state and federal level.

    "[S]tate employees [could] have access to information that they shouldn't," and including items such as Social Security numbers or private health information, Archambault said.

    "It could be" that the computer systems are vulnerable to outside intrusion by hackers, he said. "That's often a concern."

    Another possibility is that the auditor's citations are precautionary, intended to take steps to avoid problems.

    "If they're moving toward a more integrated system" in which information on a person receiving benefits under more than one DHHS program is interlinked across the computer network, "there might be concerns should the food stamp worker see some sort of basic health information if they're on Medicaid as well," Archambault said.

    Regarding the adoption assistance program, the audit stated, "Similar aspects of this finding were reported in previous years, including no documentation of child abuse and neglect registry checks being performed reported in the prior year."

    County departments of social services operate the program under state supervision. Auditors said they tested 506 case files, and found that in 6 percent of the cases the documentation was inadequate.

    Errors included missing documentation of child abuse and neglect registry checks, and files not documenting proof of citizenship. Some clients were ineligible to receive funds under the program or received more than they were eligible to collect.

    Federal law requires background checks on state registries for child abuse and neglect before a child is placed in a home with a prospective parent and other adults living in the home.

    "As a result of not doing the required background checks, children could be placed in an unsafe environment," the audit said.

    In its response, DHHS wrote: "The department will continue to provide training, monitoring, and guidance to county departments of social services to ensure the adequacy of eligibility determinations. Additional requirements will be established and shared with county DSS agencies. The department will review questioned costs identified and make the appropriate recoupments/payments."

    "It's pretty serious in my book ... especially when something's a repeat finding," said Latrice Hickman, chief of program operations, quality improvement, and compliance at Childhelp, a Phoenix, Ariz.-based nonprofit watchdog organization helping victims of child abuse and neglect and at-risk children.

    "Any time the checks and balances aren't followed, where there's smoke there's fire," said Hickman, a child abuse survivor who grew up in the foster care system.

    At a time of international child trafficking, and when criminals hop from state to state, doing criminal background and citizenship checks "are very important," Hickman said.

    "They should be quite concerned" at DHHS, she said. "I would have a special investigation [and] it warrants someone at a high level ... to see exactly where the gap is. It's not up for discussion. That's the very least thing they should do."

    Despite the warnings, Hickman said social service agencies are "asked to do a lot with very little resources" to keep children safe, so "by default you're going to have issues." Sometimes compliance issues occur because rural counties lack the financial resources and availability of adoptive families of metro counties.

    Hickman said the split federal-state-county roles in adoption programs can spawn procedural and paperwork problems.

    And, she said, some auditors more quickly assign a finding of fault over a technicality or benign oversight than would others looking at the same data.
Go Back


Leave a Guest Comment

Your Name or Alias
Your Email Address ( your email address will not be published)
Enter Your Comment ( no code or urls allowed, text only please )




Student Group Sues NC State For Requiring Permits For Any, All Speech Statewide, Government, State and Federal Beaufort County Government's General Meeting Agenda: Monday, May 9, 2016

HbAD0

 
Back to Top