The potential for unauthorized users to gain access to the agency's computers because of a lack of strict password controls. Passwords are often so simple that outsiders can guess them. Medicare and Medicaid data not being encrypted. "This could allow an attacker to view medical information" on beneficiaries. A failure to keep complete records of who uses the network, so it cannot be determined who views or modifies files.
Senator
Charles
E.
Grassley,
Republican
of
Iowa,
who
requested
the
investigation,
said
Medicare
officials
needed
"to
get
on
top
of
these
shortcomings
immediately."
"Beneficiaries
not
only
rely
on
Medicare
for
their
health
care
coverage,"
said
Mr.
Grassley,
chairman
of
the
Finance
Committee,
which
oversees
Medicare
and
Medicaid,
"they
expect
that
the
private
information
they
entrust
to
the
government
is
kept
private,
safe
and
secure."
Concern
about
computer
security
has
increased
since
May,
when
the
Department
of
Veterans
Affairs
reported
a
laptop
computer
with
personal
information
on
millions
of
veterans
had
been
stolen
from
the
home
of
an
agency
employee.
Dr.
McClellan
said,
"We
are
very
concerned
about
the
specific
control
weaknesses"
identified
in
the
latest
report.
The
computer
network
carries
immense
amounts
of
data
with
personal
information
on
beneficiaries,
including
name,
sex,
date
of
birth,
Social
Security
number
and
home
address.
The
network
also
transmits
medical
and
financial
information,
showing
the
diagnosis
of a
patient's
illness,
prescriptions,
names
of
doctors
and
hospitals,
services
provided
and
the
amounts
paid.
Daniel
R.
Levinson,
the
inspector
general
at
the
Department
of
Health
and
Human
Services,
and
his
predecessors
have
expressed
concern
about
weaknesses
in
Medicare
computer
security.
The
weaknesses
"could
ultimately
result
in
unauthorized
disclosure
of
sensitive
information,
improper
Medicare
payments
or
disruption
of
critical
operations,"
Mr.
Levinson
warned
last
year.
The
computer
network
connects
the
Centers
for
Medicare
and
Medicaid
Services
with
banks,
insurance
companies,
hospitals,
nursing
homes,
health
plans,
other
federal
agencies
and
private
contractors
that
pay
claims
for
the
government.
Medicare
paid
more
than
1.1
billion
claims
last
year.
The
size
of
its
computer
network
and
the
number
of
transactions
increased
this
year
with
the
addition
of a
prescription
drug
benefit.
The
new
program
fills
more
than
three
million
prescriptions
a
day.
Insurers
must
file
detailed
data
on
each
transaction.
In
June,
Medicare
officials
warned
Humana
after
a
company
employee
left
personal
information
on
17,000
Medicare
beneficiaries
unsecured
on a
hotel
computer
in
Baltimore.
The
Bush
administration
is
encouraging
adoption
of
electronic
health
records
and
is
urging
doctors
to
send
prescriptions
electronically
to
drugstores.
It
is
also
asking
beneficiaries
to
keep
track
of
their
health
information,
including
Medicare
claims
and
prescriptions,
by
using
a
new
online
service
at
www.MyMedicare.gov
<http://www.mymedicare.gov/>
. In
fine
print,
the
government
says
it
"does
not
warrant
the
accuracy"
of
information
on
the
Web
site.
