The report (embedded below) details the lax security:
QSSI had not sufficiently implemented Federal requirements for information system security controls over USB ports and devices. Specifically, QSSI had not: (1) listed essential system services or ports in its system security plan or (2) disabled, prohibited, or restricted the use of unauthorized USB device access. QSSI had not implemented USB security controls because management had not updated its USB control policies and procedures. As a result of QSSI’s insufficient controls over USB ports and devices, the PII of over 6 million Medicare beneficiaries was at greater risk from malware, inappropriate access, or theft.In other words, anyone could just slip in a flash drive and steal the data. Holy Edward Snowden Batman!
Lax data safety at Quality Software Services, Inc. (QSSI) was deemed a "high" risk in a June probe by federal investigators that revealed the company had failed to stop its employees from connecting unauthorized USB devices to highly sensitive Medicare systems.QSSI was awarded the general contractor gig without a bidding process on an emergency basis. I am sure it had nothing to do with the fact that the company and it's senior officers are credited with over $1 million in donations to President Obama.
The June report by the Health and Human Services (HHS) inspector general revealed that QSSI's inaction allowed workers to connect unsanctioned devices such as iPods to 29 out of the 30 workstations studied, all of which had access to millions of Medicare patients' personal data.
The unhindered access to USB ports raised the possibility that workers could have introduced malware to Medicare's systems or "inappropriately accessed" personally identifiable details, the report stated.
The information of more than 6 million Medicare beneficiaries was at "greater risk from malware, inappropriate access or theft" as a result, wrote HHS assistant inspector general Kay Daily.