The Department of Social Services lost nearly $1.8 million in Medicaid funding due to non-compliance and failed to report a data breach impacting almost 59,000 patients, according to a Tuesday report by the Auditors of Public Accounts. 

State auditors reviewed the agency’s internal controls and policy compliance for the fiscal years of 2019, 2020, and 2021. The 63-page report identified several instances when the agency did not make statutorily required reports.

They included a failure to report $1,799,350 in lost funding due noncompliance with verification requirements for Medicaid-funded services that require a home visit. The agency also failed to report two data breaches including a phishing scam impacting 58,964 clients as well as 21 state employees and contractors.

“Breaches of data increase a client’s risk of identity theft, medical insurance abuse, and financial fraud,” the auditors wrote. “DSS incurred costs for two-year security monitoring for clients identified in the breaches. DSS experienced revenue losses that it cannot recover.”

In an agency response included in the report, the department agreed it should have notified auditors of the data breaches and said it acted on the issue when it was notified.

“An extensive forensic review was conducted that did not find evidence that client information had been disclosed,” DSS responded in the report. “The Department notified the affected clients to offer identify-theft protection services and notified the United States Department of Health and Human Services Office of Civil Rights.”

Meanwhile, the agency disputed the auditors’ finding that it needed to report the lost Medicaid funding. Notification was not required because DSS knew of the funding decrease and had worked to comply with the requirements, the agency argued.  

“DSS was aware of the associated decrease in funding due to non-compliance and continued to work to meet the requirements,” the department wrote. “The financial impact was known, accounted for, and reported accordingly.” 

In reviewing other accounts, auditors found that the department had issued benefit payments for clients who were deceased. For instance, DSS paid $114,930 to six residential care facilities for eight deceased patients. The agency did not recoup the payments, the auditors wrote. 

The auditors recommended that DSS strengthen its internal controls to ensure it is making correct payments to “eligible” clients. 

“The department should record deceased clients’ date of death in ImpaCT [a state eligibility system] and close the case file promptly upon verification that the client died,” the auditors wrote. “The department should recoup benefits issued to deceased clients and residential care facilities.” 

The agency agreed with the auditors’ suggestion, saying it would “work to improve internal controls around this process to ensure ImpaCT is updated promptly with date of death information and that corrective actions are taken timely regarding benefits that have been used inappropriately.”

The report prompted a statement from Sen. Lisa Seminara, an Avon Republican who serves as a ranking member of the legislature’s Human Services Committee. Seminara said it was disappointing to learn DSS did not report the breach of highly sensitive information given the recent prevalence of cybersecurity threats. 

“In addition, not reporting nearly $2 million in lost revenue was a preventable error,” Seminara said. “As the state auditors note, the department should have filed a loss report, explained the circumstance, and described a corrective action plan. Every taxpayer dollar is precious, and data privacy protection must be a top priority for the agency going forward.”