Agencies renew focus on security following HHS security breach

Gov. Nikki Haley says she'll hold supervisors accountable.

WEST COLUMBIA — The greatest threat to South Carolinians' personal information now likely comes from the state agencies that keep it, department directors said Monday.

The issue jumped into the spotlight last month following the discovery of a massive breach at the S.C. Department of Health and Human Services.

An employee working for the state's Medicaid program was fired and arrested after being accused of transferring 228,435 beneficiaries' personal data to his private email account and at least one other party.

“The gap has been closed,” HHS Director Tony Keck said at a meeting of Gov. Nikki Haley's Cabinet. But “what is increasingly being found nationally is that these gaps are not technological gaps but more gaps in physical security.”

Keck's agency and others in Haley's purview are placing a new emphasis on internal safeguards in the wake of the breach.

“Yes our mission is to run the agencies, but our first mission is to protect the people,” Haley said.

At HHS, a three-week independent audit of the agency's security procedures and technology will begin soon.

And at several other agencies, leaders are requiring employees to take additional training on security and privacy law in addition to re-signing a confidentiality policy annually, among other steps.

For example, Department of Labor, Licensing and Regulation Director Holly Pisarik said her agency has blocked access from the agency to all employees' personal email accounts and locked computers' USB ports. The ports can be used to quickly transfer information to a portable device.

Employees now will have to receive clearance from their bosses to use the ports.

S.C. Inspector General Jim Martin is in the process of meeting with each Cabinet agency to go over their security safeguards and suggest improvements.

Still, S.C. Department of Social Services Director Lillian Koller said, agencies will be hard-pressed to thwart employees determined to steal information.

“If somebody wants to do this, they're going to do it,” she said.

Haley made it known she'll hold supervisors accountable if their employees pull off a system breach, saying supervisors will be fired if it happens on their watch.

The governor said authorities have not determined whether any other employees at HHS will be fired, because an investigation into the breach is ongoing.

Comptroller General Richard Eckstrom, who is not part of Haley's Cabinet, attended Monday's meeting and disagreed with the governor's stance.

A supervisor should be terminated only if he or she is shown to have acted incompetently or negligently, not automatically, he said.

“He has his agency, and I have my Cabinet,” Haley later responded while meeting with reporters.

“When I see something go wrong in my Cabinet agencies, supervisors are held responsible. That is why they get extra pay, because they are responsible for everyone under them.”

Reach Stephen Largen at 864-641-8172 and follow him on Twitter @stephenlargen.