GAO calls out CMS, other agencies for inconsistent data breach practices

A General Accounting Office (GAO) report takes several federal agencies to task, including the Centers for Medicare & Medicaid Services (CMS), for inconsistently implementing policies and procedures when responding to a data breach involving personally identifiable information (PII).

GAO also reported that agency officials have said that the Department of Homeland Security’s role of collecting information and providing assistance on PII breaches has yielded few benefits. The report culminated from performance audits conducted between November 2012 to November 2013.

Agencies generally developed policies and procedures for PII-related breaches, but implementation was inconsistent, the OIG found. In the case of CMS, the agency generally neither documented the risk levels for breach incidents nor the rationale for their risk determinations. Overall, CMS did not document 56 out of 58 incidents reviewed by the office, according to the report.

Moreover, OIG found that CMS did not always document the number of affected individuals for each incident, thus it “runs the risk of improperly assessing the likely risk of harm associated with each incident."

Among other agencies, CMS documented remedial actions, such as training and technical measures, but did not include an analysis of lessons learned.

“Without more specific guidance on addressing and documenting lessons learned, these agencies are at risk of experiencing similar data breaches in the future and possibly suffering adverse effects that might have been prevented,” according to the report.

Read the full document here.