Audit Faults MVA For Suspicious Addresses, ‘Points’ Not Applied

The Maryland Motor Vehicle Administration issued drivers licenses to thousands of people who used questionable addresses as their place of residence, failed to properly track serious driving infractions that occurred in other states, and neglected to properly safeguard personal information, a legislative audit concluded.

MVA agreed with 11 of the 12 issues raised in the review, which was released on Monday by the General Assembly’s Office of Legislative Audits, and has either addressed them or is in the process of doing so.

One of the findings remains a source of disagreement between MVA and OLA.

The “fiscal compliance audit” covered more than three years — from Dec. 15, 2015 to June 2, 2019. The 43-page report, provided to the legislature’s Joint Audit and Evaluation Committee, included a formal response from MVA as an appendix.

Members of the legislature said some of the findings are alarming.

Addresses used multiple times

Auditors found that — as of a year ago — 5,879 addresses were used as the primary address for 76,882 individuals. The vast majority were large dwellings, such as apartment buildings or condos. But not all.

“Based on online property searches and State Department of Assessment and Taxation records, we determined that 106 addresses, each with 20 or more individuals, appeared to be single family residential dwellings (such as single family house, townhouse, or an individual apartment), rather than group residences,” the report found.

“For example, there were 26 individuals licensed at one 910 square foot dwelling.”

Another home — a 1,400 square foot townhouse — was linked to 30 individuals. Seven of the 30 licenses connected to that address “appeared fabricated” and the validity of the remaining 23 could not be determined, investigators wrote.

“Obviously there weren’t controls in place that would have prevented that,” said Del. Carol L. Krimm (D-Frederick), co-chair of the audit committee. “That should have been spotted by somebody in the process.”

In some cases, an address may be used multiple times because tenants or relatives moved without updating their records, the report noted. But MVA needs to do more to flag suspicious data — and to follow up when the public provides tips on potential fraud.

MVA “did not take appropriate follow-up action when a questionable address was identified by its Investigation Unit,” according to OLA.

Out-of-state “points” unaccounted for 

Auditors also found that Maryland often fails to update its records when a motorist commits a serious offense in another state.

OLA found that of the 2,704 out-of-state convictions recorded by MVA’s Reciprocity Unit, the agency failed to post the points associated with those acts nearly half the time, in 1,275 cases. That meant records for 1,172 individuals were incomplete.

Auditors looked in-depth at ten of the cases and found that even when points were posted to the driver’s record, their license remained valid.

“We found that MVA did not record the required points associated with these offenses for 5 individuals, and while it did record the points for the other 5 individuals, in none of 10 cases did MVA process the required suspension or revocation action,” the report said.

The vast majority of the convictions were for driving under the influence of alcohol or drugs.

“There are some concerning findings here,” said Sen. Clarence Lam (D-Howard), the other co-chair of the audit panel. “There are real safety and security aspects that are shortcomings… that, if not addressed, could potentially put Marylanders’ lives at risk on the road.”

Repeat use of Social Security Numbers

Although the MVA uses software to detect fraudulent use of Social Security numbers, auditors found 70 identifiers that were used by 140 people — instances that the state missed.

After reviewing further, OLA determined that 12 were improper. “For example, MVA found one SSN was used to issue REAL IDs to two different individuals two years apart.” The remaining 58 were single individuals with multiple accounts that should have been consolidated.

Access to personal information

The OLA finding that MVA officials disputed involved how personal information is safeguarded within the agency.

Auditors concluded that “due to limitations with the MVA licensing and drivers records systems, sensitive personal identifiable information for millions of individuals was stored in a manner that did not provide adequate safeguards and licensing information was accessible to numerous employees.”

The agency also failed to identify and terminate unnecessary user access to the system, auditors said.

In its response to the audit, the agency rejected these claims.

“The mainframe uses multiple data protection measures,” motor vehicle officials wrote. “The additional systems MDOT MVA currently uses to protect [personally identifiable information (PII)] are also fully Federal Information Processing Standard compliant in accordance with accepted industry standards.”

MVA said its existing mainframe computer system will be replaced in December, 2021. It will have “added functionality to further safeguard and restrict access to PII.”

With the exception of the dispute about access to records, recommendations made by OLA in the other findings have been addressed by the agency or will be implemented some time this year.

In a statement emailed to Maryland Matters, the agency said it “emphasizes safety, security and customer service as its top priorities.”

“MDOT MVA performs internal reviews and audits with the goal to constantly improve our operations and procedures. We welcome the additional review of the Office of Legislative Audits, and we are proud to have the fewest number of findings and repeat items as compared to the last several legislative audit reviews.”

MVA has partnerships with other state agencies, including a birth records initiative with the Department of Health, Lam said, making it critical that the agency is firing on all cylinders.

“If MVA officials have access to [birth records and vital statistics] and the security functions are lax, there’s some real privacy concerns that could stem from that,” he said.

[email protected]

Bruce DePuyt
Bruce DePuyt spent nearly three decades on local television, including 14 years as executive producer and host of News Talk on NewsChannel 8 in the Washington, D.C., area. He has served as reporter, anchor and producer/host of 21 This Week in Montgomery County and as reporter/anchor at NBC affiliate WVIR-TV in Charlottesville, VA. He's a regular contributor to WTOP (103.5 FM) and frequently moderates community and political events.