Maryland prison inmates were allowed access to the Social Security numbers and other personal information of participants in the state’s Medicaid program, a new state audit reveals. Participants in Maryland Correctional Enterprises, a program that provides eligible inmates with work experience or rehabilitation, were tasked with entering into a Department of Health and Mental Hygiene database health insurance claims submitted by doctors under the state’s Medicaid program.
The Medical Care Program Administration of the Department of Health and Mental Hygiene relied primarily on prisoners to input roughly 900,000 paper Medicaid claims, totaling $265 million, over the course of 11 months, a 2010 audit of the agency found. For its speedy data entry process, the state received $750 million in federal stimulus funding in fiscal 2010. In the same year, the agency spent about $6.8 billion on 881,000 Maryland residents.
After that audit, patients’ Social Security numbers were redacted by a software program. However, the software only redacted the information when it was located in the upper-right portion of the forms, according to the new audit released Tuesday. When Social Security numbers appeared elsewhere on forms between Jan. 5, 2009, and July 31, 2011 — the period examined by the auditors — the software let the information through.
That finding shows that the program violated a state law passed in May 2011, said Legislative Auditor Bruce Myers. Drafted after the 2010 audit discovered that inmates had access to the patient information, the law prohibits Maryland Correctional Enterprises from giving inmates access to Social Security numbers or financial information.
However, the error happened infrequently — only when a doctor mistakenly put a Social Security number in the wrong place on a form and on only three of the 3,000 forms inmates entered for two days in July 2011, according to Rick Binetti, spokesman for the Department of Public Safety and Correctional Services.
In addition, it is highly unlikely that the inmates were able to retain the information they were exposed to, he said. Security in the room where data entry occurred included four cameras and staff walking around the inmates at all times.
“Any recording of information by inmates off of these forms would have been noticed and caught,” he said.
Between July 1, 2010, and June 30, 2011, inmates processed almost 800,000 forms, according to Binetti.
The Maryland Correctional Enterprises agreement with DHMH began on July 1, 2003, and ended on Nov. 1, 2011, after Maryland Correctional Enterprises said it could not prevent inmates from accessing personal information.
DHMH spokeswoman Dori Henry said she did not believe that the people whose information was compromised have been notified.
