South Carolina Health and Human Services Director Tony Keck says the revelation that one of his workers compromised the identities of 20 percent of his statewide clients is “one of the most troubling in my career.”
That’s not to be taken lightly for someone who had a key role in Louisiana’s response to Hurricane Katrina and the BP Gulf of Mexico oil spill.
“I think all of us within the agency are deeply disappointed that it was someone internal to the agency,” said Keck.
“It sickens me that we have worked so hard to restore the public trust in this agency and work our way out of fiscal troubles to have this happen from within,” he told South Carolina Radio Network.
Keck then laid out how his agency and the state has responded to try to protect the affected clients and to safeguard against this happening again, including:
- called in SLED, who seized the office and personal computers of former employee Christopher Lykes and is questioning him about his intent in gathering patient information. Subpoenas have been issued to track Lykes’ communications.
- Suspended access to large files and reports that have personally identifiable information to “all but the most essential positions in the agencies” while they review their policies and workflow.
-Developed additional health information procedures to require that only program management and data staff review and approve data requests. “This is an auditable system where we can …make sure the information is being used properly.
- Hired an external IT security firm to audit the agency. Preliminary audits were completed this week.
- Began extra monitoring of all claims made for the 228,000 compromised individuals to catch any unusual activities and possible fraud.
-Purchased a year of identity protection for each compromised person to cover free credit report, daily credit monitoring, agents to assist and a $1 million insurance policy to help victims to recover the costs of identity theft
- Set up a special hotline for client concerns at 888-829-6561, sent letters to all affected.
-Notified state and federal agencies including federal HHS, CMS, the FBI and the Office of Civil Rights.
-Review of all software security settings.
Other remedies are being added, says Keck. Four months ago, he asked the University of South Carolina Institute for Family and Societies to make recommendations about data management. Though they were not asked to study security, one of their ideas is being activated immediately— a triage request form for all sensitive data.
Keck says he expects federal civil rights officials as well as the SC Department of Consumer Affairs to investigate the incident as well.