The state paid unemployment benefits to some people behind bars, according to an audit that also found other problems in the Maryland Department of Labor, Licensing and Regulation.
The audit of the Division of Unemployment Insurance, which was released Friday, found that the agency did not periodically review whether people getting unemployment benefits were incarcerated, had the same address as others also getting benefits, or were DLLR employees. In a sampling, auditors found that four incarcerated people were paid about $17,700 in benefits between June 2012 and December 2013.
In some cases, the agency ran these periodic checks, but did not review the results, the Department of Legislative Services auditors found.
The agency agreed with the auditors' findings and identified steps to fix the problems. For example, department officials said they hired employees to fully investigate potential overpayments and were using information from the Department of Corrections to identify potential incarcerated beneficiaries.
The unemployment program, which paid $1.2 billion in benefits to about 207,000 people in 2013, is funded mainly through a tax on employers. The maximum benefit was $430 a week for up to 26 weeks as of July 2014.
Auditors also found that when beneficiaries are overpaid, the accounts are not always sent to the state-run collections department. Overpayments occur when the state finds that a beneficiary made a false statement or failed to disclose something to claim benefits.
At the end of 2013, there were about $170 million in overpayments that had not been repaid, about $119 million of which was more than a year outstanding. About $37 million in overpayments was recovered in 2013, auditors found.
The department said it is moving to automate the process to refer such accounts to collections.
Auditors also found lax security to protect sensitive information.
For example, a database with 646,000 names and Social Security numbers was kept unencrypted on a local server, auditors said. Password protections were poor, with the server accessible through a password that hadn't been changed since 2008, and individual employee account passwords were in some cases easily accessible to potential hackers.
The department said it has fixed these problems and started using stronger password protocols.