Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Plymouth County Sheriff’s Department - A Review of Healthcare and Inmate Deaths (March 15, 2023)

March 15, 2023 · Plymouth County Sheriff's Department · Read the full official report on mass.gov ↗

Published March 15, 2023 Audit covers July 1, 2019 – June 30, 2021 Under Diana DiZoglio · 2023–present

In plain English
Auditors checked Plymouth County Sheriff’s Department healthcare, sick-call handling, intake medical checks, vendor oversight, and inmate death procedures for 2019-2021. They did not find major reportable noncompliance, but they did flag weak IT controls.
source
“Our audit revealed no significant instances of noncompliance by PCSD that must be reported under generally accepted government auditing standards.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Plymouth County Sheriff’s Department, focused on inmate healthcare and deaths during the audit period.

“I am pleased to provide this performance audit of the Plymouth County Sheriff’s Department.”
Why was it audited?

The audit was done to see whether the department followed required rules for inmate deaths, healthcare vendor meetings, medical intake screenings, physical exams, and responses to sick-call requests.

“Below is a list of our audit objectives, indicating each question we intended our audit to answer and the conclusion we reached regarding each objective.”
Why it matters

County jails hold people in government custody, so the public has an interest in whether inmates receive required medical care and whether deaths are handled properly and documented.

“A death in custody is one that occurs during this period of incarceration.”
What's in it for me?

For residents, this report is a check on whether a public law-enforcement agency is operating safely, spending public money under oversight, and protecting people in custody.

“According to PCSD’s Internal Control Policy 301, its mission is to “protect the public from criminal offenders by operating a safe, secure and progressive correctional facility while committing to crime prevention awareness in the community.””
The bottom line

The main audit areas passed: the auditor concluded the department met the reviewed requirements. The important exception is that the auditor said the department needs stronger IT policies, planning, training, and user-access controls.

“Our audit revealed no significant instances of noncompliance that must be reported under generally accepted government auditing standards.”
What happens next

The report says the department should act quickly to strengthen controls over its computer systems, including continuity planning, disaster recovery, cybersecurity training, and review of user permissions.

“In the opinion of the Office of the State Auditor, PCSD should take immediate measures to improve the internal controls over its IT systems.”
Why it's significant

The audit’s biggest warning is not about the sampled healthcare work, but about technology risk: weak IT controls can make sensitive jail and medical information easier to misuse or attack.

“Inadequate or nonexistent controls make the information in PCSD’s IT systems more vulnerable to unauthorized access and use by employees and to cyberattacks that could result in financial and/or reputational losses.”
Jargon, unpacked

CorEMR means the electronic medical record system used for inmate health information. OMS means the system used to track inmate custody and booking information. A sick call is how an inmate asks for healthcare.

“The Correctional Electronic Medical Records (CorEMR) System is a Web-based application that is used to record all health-related inmate information such as medical history, treatments, mental health status, medications, and scheduled appointments.”

What the Auditor checked

What the Auditor found

PCSD lacked adequate written policies, continuity plans, cybersecurity training, and user-rights reviews for its IT systems.
cybersecurityinternal controls

Why it matters: Inadequate or nonexistent controls increase the risk of unauthorized access, cyberattacks, and financial or reputational losses.

Standard: National Institute of Standards and Technology Special Publication 800-53r5 ( National Institute of Standards and Technology’s Special Publication 800-53r5; National Institute of Standards and Technology Special Publication 800-53r5 )

1 recommendation
  • PCSD should take immediate measures to improve the internal controls over its IT systems.

More audits of this entity

Other Office of the State Auditor reports on Plymouth County Sheriff's Department .

See this entity's page with all 2 audits →