Insufficient monitoring could mean N.J. Medicaid data is compromised
N.J. Medicaid program may have exposed Social Security numbers of docs and patients. Source: Wall Street Journal  
Key personal information in a computer system that tracks care for the poor in New Jersey has not been adequately monitored, leaving the state unsure if Social Security numbers and other information about doctors and patients have been misused, according to a recent audit.

The state’s Department of Human Services lacks appropriate security policies and procedures for the computer system it uses to process claims for more than one million New Jersey Medicaid patients, the analysis by the Office of the State Auditor revealed, reported the Philadelphia Inquirer.

The audit also found that the department failed to properly monitor access to information such as Social Security and tax identification numbers, Drug Enforcement Agency numbers used to write drug prescriptions and birth dates.

This lack of monitoring makes it impossible to determine whether an employee is "accessing personally identifiable information for fraudulent purposes," according to the audit, which cited no examples of improper activity but recommended the department log access to sensitive personal information.

The audit is the third in recent weeks to criticize New Jersey's $9 billion Medicaid program, which is jointly funded by the state and federal government and pays for healthcare for the poor, elderly, disabled and low-income families with children, the Inquirer reported.

Other audits found people earning as much as $295,000 enrolled in the program and questionable medical equipment purchases.

John Guhl, the state's Medicaid director, in a written response to the audit, said all employees are trained in federal requirements for personal health information. He told senators during a recent budget hearing that employees can only access the entire system from the areas, in which they work. He said supervisors know which employees logged into the system and when but not what record was viewed.