FAC Explorer

Finding 1155732 (2024-001)

Material Weakness Repeat Finding
Requirement
N
Questioned Costs
-
Year
2024
Accepted
2025-09-26
Audit: 368028
Organization: Centra Health, Inc. (VA)
Auditor: Bdo USA PC

AI Summary

  • Core Issue: Centra's information security program does not fully comply with the GLBA requirements.
  • Impacted Requirements: Five out of seven elements of the GLBA are only partially implemented, affecting compliance.
  • Recommended Follow-Up: Centra should enhance internal controls and oversight to meet all GLBA requirements, including safeguards and monitoring.

Finding Text

Information on the Federal Program - Federal Pell Grant Program (ALN: 84.063) and Federal Direct Stafford Loans (ALN: 84.268) Criteria or Specific Requirement – N. Special Tests and Provisions - The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data (16 CFR 314). The Federal Trade Commission considers Title IV-eligible institutions that participate in Title IV Educational Assistance Programs as “financial institutions” and subject to the GLBA because they appear to be significantly engaged in wiring funds to consumers. Under an institution’s Program Participation Agreement with the Department of Education (ED) and the GLBA, institutions must protect student financial aid information, with particular attention to information provided to institutions by ED or otherwise obtained in support of the administration of the federal student financial aid programs. Accordingly, institutions are required to develop, implement, and maintain a written comprehensive information security program. Condition – During our audit procedures, we noted that Centra’s written information security program did not entirely meet all minimum requirements of the GLBA and therefore was not fully in compliance with the requirement. Cause – Insufficient internal controls and administrative oversight with respect to the Special tests and provisions (N) compliance requirement. Effect or Potential Effect – Centra is not fully in compliance with the GLBA requirement for the year ended December 31, 2024. Questioned Costs – None. Context – Centra had designated a qualified individual responsible for overseeing and implementing and enforcing an information security program (16 CFR 314.4(a)) and have completed the risk assessment (16 CFR 314.4(b)), as required by the GLBA. However, the remaining five elements of the GLBA (16 CFR 314.4(c)–(g)) were still in process of being implemented as of December 31, 2024. As of December 31, 2024, five of the seven elements were partially implemented. Repeat Finding – This is a repeat of prior year finding 2023-001. Recommendation - We recommend that Centra maintain appropriate internal controls and administrative oversight in order to fully comply with the GLBA requirements of 16 CFR 314.4(c)–(g). Such would include (i) assessment, design, and implementation of safeguards; (ii) regularly test and monitor the safeguards; (iii) ensure ability to enact the information security program; (iv) oversee service providers and (v) adjust in light of results of testing and monitoring. Views of Responsible Officials – Centra management agrees with this finding and is in process of implementing a corrective action plan.

Corrective Action Plan

orrective Action Plan Name of Contact Person Responsible for Corrective Action: John Hunt Centra Health Corporate Director, Information Security and Disaster Recovery 561-613-7342 john.hunt@centrahealth.com Anticipated Completion date: December 31, 2025 Corrective Action: 2024-001 – Special tests and provisions: As part of our ongoing GLBA compliance efforts, we completed a comprehensive risk assessment on December 24th, 2024. The assessment identified and ranked risks based on likelihood and potential impact to sensitive financial and customer information. In alignment with GLBA’s requirement to safeguard non-public personal information, our program has prioritized remediation and monitoring efforts toward the highest-risk control items identified. Key focus areas include: • Implementing multi-factor authentication for all privileged access, including access to sensitive back-end IT equipment and web application access. • Implementing a vulnerability management program that includes a regular scan of all systems on the network and a programmatic review of the resulting list of vulnerabilities to ensure that systems are reconfigured and patched to address risk to the organization in order of criticality. • Developing a comprehensive Incident Response Plan that is tested and reviewed at least annually or whenever significant changes to procedures are introduced. • Updating Centra’s third-party risk management procedures to include periodic review of supplier performance, appropriateness of information security and data protection controls, and compliance with required controls. • Improving security awareness training with specialized training for specific higher risk roles to the organization. We continue to make progress on 314.4(d)–(g) controls: safeguards have been designed and implemented for high-risk areas, and ongoing testing, training, vendor oversight, and program evaluation are being conducted. Some lower-priority improvements remain in progress, consistent with our risk-based approach and remediation roadmap. These initiatives are tracked, resourced, and scheduled, ensuring that residual gaps are closed in alignment with GLBA requirements.

Categories

Student Financial Aid Subrecipient Monitoring Internal Control / Segregation of Duties Special Tests & Provisions

Other Findings in this Audit

  • 1155731 2024-001
    Material Weakness Repeat

Programs in Audit

ALN Program Name Expenditures
84.268 Federal Direct Student Loans $1.39M
84.063 Federal Pell Grant Program $594,519
84.425 Education Stabilization Fund $418,211