COLUMBIA, S.C. — (April 19, 2012) During an agency performance review, the South Carolina Department of Health and Human Services (SCDHHS) discovered last week that an employee working within the Medicaid program inappropriately transferred personal information of 228,435 Medicaid beneficiaries to his personal email account, constituting a violation of agency policy.
The department discovered the transfers on Tuesday, April 10 and immediately contacted the South Carolina Law Enforcement Division to investigate the incident and also informed other state and federal agencies. The employee, who worked in Columbia, was terminated last week. It is not yet known why the individual sent the information to his personal email account but law enforcement is actively investigating.
The transferred information was contained in 17 spreadsheets dating back to January 31, 2012 and included: names, phone numbers, addresses, birth dates and Medicaid ID numbers. Importantly, no private medical records or financial information was transmitted. In 22,604 of the cases, Medicare numbers, which contain Social Security numbers, were also linked to beneficiaries’ names. More than 90% of the affected beneficiaries live in six counties: Allendale, Bamberg, Barnwell, Lexington,Orangeburg and Richland.
“Our department is entrusted with personal information for hundreds of thousands of individuals, and it is our duty to secure that information,” SCDHHS Director Anthony Keck said. “We are disappointed that one of our own would violate that trust and are deeply apologetic for not preventing the inappropriate release of this information.”
The agency is sending personal letters to all affected beneficiaries notifying them of this incident and explaining how to protect their information moving forward. Beneficiaries can also find more information at www.myscmedicaid.org. Those receiving letters should call 1-888-829-6561. Although no health information was released, to address the possibility of identity theft and to give beneficiaries peace of mind, SCDHHS is making available a free year of identity protection services to every affected individual through Experian’s ProtectMyID Alert. This service includes:
- A free credit report;
- Daily credit monitoring to detect any suspicious activity;
- A $1 million identity theft insurance policy.
The public is urged to be aware of scams. Aside from the letter to affected beneficiaries, SCDHHS will never call or otherwise contact those affected asking for your personal information. Beneficiaries are advised to never give out their Social Security numbers or other identifying information to people they have not personally contacted. Since the transfers were discovered, SCDHHS has taken several steps to safeguard beneficiaries’ personal information and strengthen agency policies and procedures, including:
- SCDHHS has created a website at www.myscmedicaid.org to answer questions from beneficiaries and help them enroll in the free protection services.
- SCDHHS has established a toll-free call center at 1-888-829-6561 for affected Medicaid beneficiaries.
- SCDHHS is placing print and radio advertising throughout the state as well as reaching out to local organizations and the provider community to help make beneficiaries aware of the incident and the services available.
- All files and computers where this information may have been stored have been impounded bylaw enforcement.
- SCDHHS has frozen access to aggregate personally identifiable health information for much of its staff.
- Additionally, SCDHHS has hired an external IT security firm to conduct an external risk assessment of its data and IT systems security.
SCDHHS has established a special website with updates and Q&As about the incident: www.myscmedicaid.org.
The toll free call center is available seven days a week for beneficiaries to check if their personal information is affected: 1-888-829-6561 (9 a.m. - 9 p.m. M-F; 11 a.m. - 8 p.m. Sat.-Sun.)
The South Carolina Department of Consumer Affairs (1-800-922-1594) can assist the public with general questions concerning potential identify theft.