(Updated with arrest information)
The South Carolina Department of Health and Human Services (SCDHHS) says it discovered last week that an employee working within the Medicaid program inappropriately transferred the personal information of more than 228,000 Medicaid beneficiaries to his personal email account, constituting a violation of agency policy.
The department says it discovered the transfers on April 10 and immediately contacted the State Law Enforcement Division to investigate the incident and also informed other state and federal agencies.
The terminated employee, 36-year-old Christopher Lykes of Swansea, was arrested by SLED this afternoon and charged with five counts of violating confidentiality protected by the Medically Indigent Act and one count of disclosure of confidential information.
Officials say they do not yet know why Lykes sent the information to his personal email account but law enforcement is actively investigating. SLED Director Mark Keel says they know that at least one other person recieved the data downloaded by Lykes.
The transferred information was contained in 17 spreadsheets dating back to January 31 and included: names, phone numbers, addresses, birth dates and Medicaid ID numbers. A SCDHHS announcement said no private medical records or financial information was transmitted. In 22,604 of the cases, Medicare numbers, which contain Social Security numbers, were also linked to beneficiaries’ names. More than 90% of the affected beneficiaries live in six counties: Allendale, Bamberg, Barnwell, Lexington, Orangeburg and Richland.
“Our department is entrusted with personal information for hundreds of thousands of individuals, and it is our duty to secure that information,” SCDHHS Director Anthony Keck said. “We are disappointed that one of our own would violate that trust and are deeply apologetic for not preventing the inappropriate release of this information.”
The agency says it is sending personal letters to all affected beneficiaries notifying them of this incident and explaining how to protect their information moving forward. Beneficiaries can also find more information at www.myscmedicaid.org. Those receiving letters should call 1-888-829-6561.
Although no health information was released, to address the possibility of identity theft and to give beneficiaries peace of mind, SCDHHS is making available a free year of identity protection services to every affected individual through Experian’s ProtectMyID Alert. This service includes a free credit report, daily credit monitoring to detect any suspicious activity, and a $1 million identity theft insurance policy.
The public is urged to be aware of scams. Aside from the letter to affected beneficiaries, SCDHHS will never call or otherwise contact those affected asking for your personal information. Beneficiaries are advised to never give out their Social Security numbers or other identifying information to people they have not personally contacted.
All files and computers where this information may have been stored have been impounded by law enforcement. SCDHHS has frozen access to aggregate personally identifiable health information for much of its staff. Additionally, the agency has hired an external IT security firm to conduct an external risk assessment of its data and IT systems security.
SCDHHS has created a website at www.myscmedicaid.org to answer questions from beneficiaries and help them enroll in the free protection services. It has established a toll-free call center at 1-888-829-6561 for affected Medicaid beneficiaries.
The South Carolina Department of Consumer Affairs (1-800-922-1594) can assist the public with general questions concerning potential identify theft.