Skip to main content
Government & Politics Health Care

Audit: Security breach, staffing concerns contributed to ‘unsatisfactory’ accountability from Md. Medicaid agency

Legislative auditors have raised questions about fiscal accountability at the state Department of Health. File photo by Danielle E. Gaines.

Another audit within a branch of the Maryland Department of Health reveals years of “unsatisfactory” record-keeping that may have resulted in millions of Medicaid dollars improperly paid out for people who did not qualify and a lack of program oversight to ensure that people received adequate health care services, according to a Tuesday report from the Office of Legislative Audits.

The audit raised several concerns out of the Medical Care Programs Administration, which largely oversees the implementation of Medicaid in the state, from August 2018 through March 2022, during the administration of former Gov. Larry Hogan (R). The audit evaluated how the agency monitored the low-income federal health care assistance program.

“We determined that MCPA’s accountability and compliance level was unsatisfactory, in accordance with the rating system we established in conformity with State law,” the audit concluded.

This audit comes just days after the state Department of Health received a scathing report which said the department had a “pervasive lack of documentation.” That OLA audit identified some $1.4 billion dollars in potential federal revenue that is currently unaccounted for and could result in a shortfall that exacerbates concerns about a tight budget in the upcoming fiscal year, Maryland Matters previously reported.

The Tuesday report on the MCPA adds to those previous audit issues, with findings of improper Medicaid payments, inadequate oversight of program services, and potentially paying for claims that should have been paid by another entity.

The audit noted two factors that may have contributed to some concerns identified in the report.

One factor is a 2021 ransomware security attack that affected the entire Department of Health’s computer network and disrupted operations for MDH servers, leading not only to difficulties in reporting for the agency but also for the auditors’ review.

Another factor was a large staffing issue at the MCPA, the report notes. As of June 30, 2022, MCPA had 87 vacant full-time positions out of a total of 618, or 14.1% of the workforce.

“Although our audit did not attempt to identify the specific impact of this vacancy rate on MCPA operations, we believe that it may have contributed, at least in part, to the findings in this report…and the resulting rating,” the audit said.

That said, the audit identified several issues in reporting payments and oversight of services.

The OLA’s audit evaluated the operations of the MCPA from August 1, 2018 through March 31, 2022. By the end of fiscal year 2022, the MCPA’s expenditures totaled about $14.1 billion, mostly related to Medicaid operations, according to the audit.

Medicaid is funded through state and federal money, and the MCPA uses a federally certified computer system to pay provider claims and process claims to get federal reimbursement, the audit explains.

The audit raises concerns that certain payments should have been made by a third party. Medicaid is supposed to be the “payer of last resort” that should be used to “pay costs not covered by other, such as third-party insurers,” the audit notes. Referrals from third-party liability vendors, such as a health care provider or the Department of Human Services, are to be recorded in a federally approved computer system for verification and evaluation.

But OLA’s review “disclosed that only 180,000 [12%] of the 1.5 million referrals the vendor submitted between January 2021 and June 2022 were actually recorded” in the computer system. Because thousands of claims were not logged and reported, those claims were not subject to review by the MCPA to determine “whether any portion of the claim should have been paid by another entity.”

Another concern: the MCPA did not have an effective process to identify and recover questionable Medicaid payments.

The audit found that $7.1 million in Medicaid payments may have been improperly paid on behalf of people who did not qualify for such claims, including thousands of people who were incarcerated or deceased.

Medicaid only covers certain fee-for-service claims for incarcerated individuals, usually related to inpatient hospital care, the report notes. But the audit identified $3.5 million in claims improperly made on behalf of 1,954 recipients who were incarcerated at time of service. Another $3.5 million payments were made for care to people who were dead at the time of service.

The audit recommends that the MCPA implement an efficient process that identifies and prevents questionable Medicaid payments, so that these improper claims payments are less likely to occur.

There also were instances where MCPA did not process Medicaid eligibility changes accurately and timely, the audit found. The MCPA reports that the issue likely occurred as a result of the 2021 ransomware security attack.

The audit raised additional concerns about how adequately MCPA provided oversight to ensure that people received needed services.

Elderly or disabled people who would otherwise live an assisted living facility can use a service called the Community First Choice program to continue to live in their own homes. They are supposed to receive assistance with daily living activities from aides and nurse monitoring providers, under agreements with MCPA.

But the agency did not have an established process to ensure that “nurse monitors were properly evaluating the quality of personal assistance services provided.” The OLA’s analysis found that of 10,082 people receiving personal assistance services in November 2022, 19% were more than 60 days overdue for their nurse monitoring visit. That analysis also found 901 individuals who were a whole year overdue for their visit.

Some of these issues, such as the lack of oversight on the Community First Choice services, were identified in an audit of the agency in a 2019 report.

In a response to the audit, current Maryland Secretary of Health Dr. Laura Herrera Scott, said that the Department of Health and MCPA are working on addressing the issues.

“The report identifies a number of areas for improvement in MCPA policies and procedures,” she said in a letter to Office of Legislative Audits. “As the report notes, some of the findings can be attributed to staffing challenges and challenges relating to the 2021 network security incident. As you will see from our responses, MDH and MCPA are taking a number of actions to address these findings and strengthen MCPA.”

Since the more recent audit was conducted, the Maryland Department of Health has worked towards addressing some of the issues raised in the report to improve reporting measures, implement stronger program oversight, and evaluate questionable Medicaid payments, according to the MDH’s response to the audit’s findings.


Our stories may be republished online or in print under Creative Commons license CC BY-NC-ND 4.0. We ask that you edit only for style or to shorten, provide proper attribution and link to our website. Please see our republishing guidelines for use of photos and graphics.

If you have any questions, please email editor Danielle Gaines at [email protected].

To republish, copy the following text and paste it into your HTML editor.


Creative Commons License AttributionCreative Commons Attribution
Audit: Security breach, staffing concerns contributed to ‘unsatisfactory’ accountability from Md. Medicaid agency