COLUMBIA — Almost a quarter-million South Carolinians now must worry about their identities being stolen after a breach of their personal information with the state Medicaid agency.
The agency’s leader said better safeguards should have been in place to prevent the intrusion, a mistake that could cost state taxpayers $1 million.
The S.C. Department of Health and Human Services announced Thursday that an employee working for the Medicaid program inappropriately transferred 228,435 beneficiaries’ personal information to his personal email and at least one other party.
The vast majority of victims aren’t from the Lowcountry.
The transfer was a violation of agency policy along with state and federal law, an act Gov. Nikki Haley termed “probably the most despicable thing we can ever expect to happen in state government.”
Tony Keck, the director of DHHS, which administers the federal Medicaid program in the state, said the transfer was discovered April 10 during an agency performance review.
The employee, 36-year-old Christopher Lykes of Swansea, was fired the next day.
“Our department is entrusted with personal information for hundreds of thousands of individuals, and it is our duty to secure that information,” Keck said.
“We are disappointed that one of our own would violate that trust and are deeply apologetic for not preventing the inappropriate release of this information.”
Medicaid primarily serves the poor and disabled.
On Thursday afternoon, Lykes was arrested by the S.C. Law Enforcement Division and booked at the Richland County Detention Center.
He was charged with five counts of violating the Medically Indigent Act and one count of disclosure of confidential information.
His bail was set at $100,000.Lykes was an executive committeeman to the S.C. Democratic Party from Lexington County until last month when his term expired, according to the party’s executive director Amanda Loveday.
SLED confirmed that at least one other party received the information Lykes transferred to his email, but did not elaborate.
Keck said the information Lykes transferred dates back to January and included names, phone numbers, addresses, birth dates and Medicaid ID numbers.
No private medical records or financial information was transmitted, DHHS said.
In 22,604 of the cases, Medicare numbers, which contain Social Security numbers, were also linked to beneficiaries’ names, according to the agency.
Medicare is a separate program that serves seniors rather than the poor and disabled.
More than 90 percent of the beneficiaries affected by the breach live in six counties: Allendale, Bamberg, Barnwell, Lexington, Orangeburg and Richland.
SLED Chief Mark Keel and Keck declined to provide specifics of the SLED investigation into the breach or Lykes’ tenure at DHHS at a Thursday morning news conference, citing an ongoing investigation.
DHHS said other state and federal agencies have been alerted to the breach, and Keck said in an interview that he expects the U.S. Department of Health and Human Services Office for Civil Rights to launch an investigation of the state.
The federal agency will determine if the state should be fined based on any willful neglect the agency finds and the aggressiveness of the state’s response to the breach, Keck said.
To that end, the agency is sending letters to all affected beneficiaries, who can also find more information at www.myscmedicaid.org. Individuals who receive letters are advised to call 1-888-829-6561.
Keck and Haley emphasized that the state will not call those affected by the breach, and Medicaid beneficiaries should be on guard against potential scammers.
DHHS will provide a year of free identity protection services to affected beneficiaries.
Agency spokesman Jeff Stensland said notifying those affected and providing the protection services could cost the state upwards of $1 million.
Haley, Keck and S.C. Inspector General Jim Martin said the state will take significant steps to add more safeguards against potential breaches of sensitive electronic data.
“We expect this to be handled swiftly,” Haley said. “We are going to make sure that the proper people are prosecuted and we’re going to make sure that this doesn’t happen again.”
Haley tasked Martin with closing loopholes similar to the one Lykes allegedly exploited in other state agencies.
Keck said that in hindsight, his agency relied too much on “internal relationships as our security system.”
“Standard policy dictates that you have processes in place to review these types of requests for information,” he said. “In this case, we did not have that.”
Given his position in the agency, Lykes had no known need for the volume of information on Medicaid beneficiaries he transferred, Keck said.
Keck said his agency has greatly reduced the number of people that have access to the personal information of Medicaid beneficiaries in the wake of the breach.
“Every time that this information gets requested, it will go through a review process,” he said. “We think that it will be a strong deterrent.”
Reach Stephen Largen at 864-641-8172 and follow him on Twitter at @stephenlargen
For those affected by the security breach:The state will notify you by mail if your personal information was part of the breach.The state will not call you about the breach or to seek any of your personal information. If you receive a call from someone claiming to represent the state, hang up.The state will provide a year of free identity protection services to affected beneficiaries who want it.You can find more information at www.myscmedicaid.org. Individuals who receive letters are advised to call 1-888-829-6561.