COLUMBIA, S.C. — Nearly a quarter of all Medicaid patients in South Carolina had some of their personal information stolen by an employee who compiled the data over several months and sent it to his private email account, state Health and Human Services Director Anthony Keck said Thursday.
The employee was fired last week, and a criminal investigation has begun. But the worker still hasn't told authorities what he planned to do with the information from more than 228,000 people, Keck said.
At least 22,600 of the people had their Medicaid ID numbers, which are linked to their Social Security numbers, taken. Others had their names, addresses, phone numbers and birth dates stolen.
"I've woken up every morning for the past week praying somehow I could find a reason or the individual who committed the act would tell us this is just a big mistake," Keck said.
But the director said that seems doubtful. The worker on 17 different occasions since the end of January collected the information into a spreadsheet and sent it to himself in an email. He was caught by the newly-created state Inspector General's office as it checked on employees with poor performance reviews. This worker was flagged because claims weren't being processed fast enough, Keck said.
Keck and State Law Enforcement Division Director Mark Keel refused to identify the worker or say how long he had been with the agency, which employs more than 1,200 people. Keck did say he was a project manager.
Letters will be sent next week to the 228,435 people on Medicaid whose data was taken. They will all be offered identity theft help. Anyone with questions can call 888-829-6561 or go online at www.myscmedicaid.org, Keck said.
The security breach could also inadvertently lead to more fraud. Authorities are urgently reminding people that the state will only send out letters. Gov. Nikki Haley personally appeared at the news conference Thursday to warn residents that anyone calling and asking for personal information is probably a scammer.
"If anyone contacts you by phone, do not give any information out. This is the time we have to be the most careful," Haley said.
About 90 percent of the affected people live in Allendale, Bamberg, Barnwell, Lexington, Orangeburg and Richland counties, but Keck said the information was stolen from people in all of the state's 46 counties.
Keel released little information about SLED's investigation into the data breach. He said the worker gave the information to at least one other party. The information could be valuable to identity thieves, but could also be used to make fraudulent Medicaid claims, Keck said.
The Department of Health and Human Services immediately increased security measures and has hired a firm to review the agency's computer and data security.
"The department was not sufficiently requiring that employees justify their need for this type of information," Keck said.
The incident has led Haley to ask Inspector General Jim Martin to review security information in all 16 South Carolina cabinet agencies. "We are going to hold every one of our agencies accountable," Haley said.Comment on this story
Keck estimates it will cost his agency around $1 million to hire the firm that is contacting the affected patients and offering the personal information protection. He figures the security review and upgrade will cost up to $500,000. The state could also face federal penalties for violating patient confidentiality laws. The maximum fine is $1.5 million, but that amount can be reduced depending on how hard the state works to limit the breach, investigate how it happened and prevent it from happening again.
Keck said the agency has managed to cut costs enough during his first year in office so that officials won't need to ask lawmakers for more money.
He apologized several times to the people affected by the data breach and to taxpayers. Keck called it the most troubling event of a career that included working to help people in Louisiana during hurricanes and the BP oil spill.
"I think all of us within the agency are deeply disappointed that it was somebody internal to the agency who betrayed us and the beneficiaries," Keck said. "We're deeply disappointed and apologetic we weren't able to stop it."