Sen. Seminara: “Every taxpayer dollar is precious.”

September 13, 2023

Audit finds state Department of Social Services must improve financial management
DSS paid benefits to deceased clients and failed to report data breach

Hearst CT

In a highly critical report released Tuesday, state auditors found the state Department of Social Services lacked effective financial management and internal controls, and failed to comply with laws, regulations and policies.
The audit, which was critical of the department’s internal controls over management and financial functions, covered three state fiscal years: 2019, 2020 and 2021.

After reviewing 10 death alerts filed with the state, the auditors said DSS issued $114,930 in benefits to six residential care facilities on behalf of eight deceased clients. “DSS did not recoup these benefits,” the auditors noted.
The auditors pointed out DSS issued $5,530 in benefits for one of those deceased clients.

“We noted that the client was from a single-person household and an unauthorized individual used their benefits for $4,706 in purchases,” the auditors said.

“The Department of Social Services should strengthen internal controls to ensure it issues benefits in the correct amount on behalf of eligible clients,” auditors said. “The department should record deceased clients’ date of death and close the case file promptly upon verification that the client died. The department should recoup benefits issued to deceased clients and residential care facilities.”

In its response, DSS agreed with the findings and pledged to better update lists containing death information and said it would “work to find solutions to correct the process.”

Data breach

Auditors said two unreported data breaches of client protected health information involved a phishing scam that affected 58,964 clients and 21 employees and contractors. The other breach was a mailing incident that affected one client, they said.

“The Department of Social Services should promptly notify the Auditors of Public Accounts and the State Comptroller of any breach of security or loss of state funds,” the auditors said.

DSS said it properly responded to the data breach and that no information had been disclosed. “The Department acted upon notice of the data breach,” DSS explained.

“An extensive forensic review was conducted that did not find evidence that client information had been disclosed,” DSS explained. “The Department notified the affected clients to offer identify-theft protection services and notified the United States Department of Health and Human Services Office of Civil Rights. The Department agrees that the Auditors of Public Accounts (APA) was not notified timely of this incident and will notify the APA should this occur in the future.”

Auditors found that DSS paid benefits to six residential care facilities for clients who were deceased and failed to report a data breach involving personal health care information for nearly 59,000 clients.

In a formal response included in the findings by the Auditors of Public Accounts, DSS officials denied that any client information was disclosed and pledged to strengthen its systems so benefits are not paid to deceased clients.

State Sen. Lisa Seminara, R-Avon and a ranking member on the human services committee, expressed concern over the data breach.

“With the prevalence of hacks and cybersecurity threats these days, it is disappointing to learn that the agency did not report multiple data breaches of highly sensitive information to state auditors as the law requires,” Seminara said. “Data privacy protection must be a top priority for the agency going forward.”

A DSS spokesman did not immediately respond to a request for further comment on the audit’s findings.

Internal controls needed

DSS objected to a finding that it did not report $1,799,350 in Medicaid revenue losses for noncompliance with electronic visit verification requirements.

“The Department disagrees with the loss reporting requirement for EVV non-compliance. DSS was aware of the associated decrease in funding due to non-compliance and continued to work to meet the requirements. The financial impact was known, accounted for, and reported accordingly,” DSS noted.

Auditors found that DSS “did not develop procedures to promptly comply with EVV requirements for Medicaid-funded personal care services.”

Seminara said the finding is serious and DSS should have complied with the process.

“Not reporting nearly $2 million in lost revenue was a preventable error,” Seminara said. “As the state auditors note, the department should have filed a loss report, explained the circumstance, and described a corrective action plan. Every taxpayer dollar is precious.”

In another finding, auditors said DSS issued bed capacity reductions of 33 percent, 29 percent and 17 percent to three facilities and approved $5,885,000 in capital expenditures to a nursing facility without requiring a certificate of need.

Additionally, DSS issued payment rates to two residential care homes without a 10 percent penalty for failure to submit annual cost reports, auditors said.

“DSS should strengthen internal controls to ensure compliance with General Statutes regarding bed capacity reductions, capital expenditures, and cost report submissions,” the auditors said.

DSS agreed with the finding.

“Procedures have been established for all requests received,” DSS said it its formal response included in the audit.
Auditors also found that the DSS eligibility system recorded 705 incarcerated clients, 365 deceased clients and 44 state employees or retirees with gross pay that exceeded maximum income limits as eligible for the Supplemental Nutrition Assistance Program [SNAP].

“DSS should strengthen internal controls to ensure that it uses all information from eligibility and income matches to issue the correct amount of SNAP benefits to eligible clients,” the auditors said. “The department should recoup benefits issued to ineligible clients in accordance with its SNAP Claims Management Plan.”
DSS agreed with the finding.

“The Department has conducted a review of the controls related to the processes undertaken when individuals are incarcerated while receiving SNAP benefits,” DSS noted. “During the review, it was noted that there were multiple reasons that could have contributed to the noted deficiencies.”

•Bill Cummings is reporter with Hearst Connecticut Media Group. He is a veteran journalist who first joined the Connecticut Post in 1989 as a town reporter. He has served as a bureau chief, manned the Capitol Bureau, covered Bridgeport City Hall and has since become a statewide investigative reporter.