Audit finds DSS failed to report data breaches

The Department of Social Services (DSS) in Connecticut faced significant challenges due to non-compliance issues, including a loss of nearly $1.8 million in Medicaid funding. Additionally, it failed to report two data breaches, including a phishing scam affecting clients and employees, prompting concerns about safeguarding sensitive information and taxpayer dollars. DSS agreed to improve internal controls for accurate payments and address the data breach. State auditors emphasized the need for stronger data protection and compliance efforts.

 

Audit Findings: Non-compliance and Reporting Failures

The Department of Social Services (DSS) in Connecticut encountered significant issues, including the loss of $1.8 million in Medicaid funding due to non-compliance with verification requirements for Medicaid-funded services that necessitate home visits. Despite its awareness of the funding decrease, the agency failed to report this loss as required. Furthermore, DSS also neglected to report two data breaches, one of which was a phishing scam affecting 58,964 clients and 21 state employees and contractors. The failure to report these breaches can expose clients to heightened risks of identity theft, medical insurance abuse, and financial fraud. Auditors discovered benefit payments to deceased clients, including $114,930 to residential care facilities. DSS did not recoup these payments.

 

Auditor’s Recommendations and Agency Response

State auditors recommended that DSS strengthen its internal controls to ensure it makes correct payments to eligible clients, which includes promptly recording the date of death for deceased clients and recouping benefits issued inappropriately to them. In response, DSS acknowledged its failure to report the data breaches and took corrective actions after being notified. However, the agency disputed the need to report the lost Medicaid funding, arguing that it had taken steps to comply with the requirements. State Senator Lisa Seminara expressed disappointment in DSS’s failure to report the data breach, especially in light of the growing cybersecurity threats. She also highlighted the agency’s failure to report the loss of nearly $2 million in revenue, underscoring the importance of data privacy protection and financial responsibility.

 Record amount of Fines in 2023 due to non-compliance and violations

 

Recommendations for Proper Reporting of Data Breaches:

  1. Contain the Breach:
    • Immediate action is crucial. Isolate affected systems, shut down unauthorized access, and limit further data exposure which is a critical first step to prevent additional harm.
  2. Notification Requirements:
    • Understand the specific legal and regulatory obligations concerning data breach reporting in your jurisdiction as compliance is vital to avoid potential fines or penalties
  3. Internal Communication:
    • Notify your internal incident response team and IT department promptly also a coordinated response is essential to assess the extent of the breach and take corrective action.
  4. Document the Incident:
    • Keep meticulous records of the breach, including when and how it was discovered, systems impacted, and the nature and volume of data compromised as accurate documentation supports legal and regulatory compliance.
  5. Notify Authorities:
    • If mandated by law, promptly report the breach to the appropriate regulatory authorities as failure to do so could result in legal consequences for your organization.

 

Reporting data breaches accurately, promptly, and in compliance with regulations is crucial to minimize damage and maintain trust with affected parties. It’s also essential to learn from each incident to continually improve your organization’s security posture.