Arrest in S.C. Medicaid Info BreachState Worker Allegedly Took Information on 228,000 Patients
A former South Carolina state employee has been arrested for allegedly transferring personal information about more than 228,000 Medicaid recipients to his personal e-mail account.
See Also: HIPAA Audits: A Revised Game Plan
The information inappropriately transferred in the breach incident, according to the South Carolina Department of Health & Human Services, includes names, phone numbers, addresses, birth dates and Medicaid ID numbers. For almost 23,000 of the affected patients, Medicare numbers, which contain Social Security numbers, also were transferred. No private medical records or financial information was involved, authorities say. Nevertheless, the state is offering all those affected a year's worth of free identity protection services.
The former state worker has been charged with five counts of Medically Indigent Act confidentiality violations and one count of disclosure of confidential information, according to WMBF News.
A statement on the Department of Health and Human Services website acknowledges that the employee involved in the inappropriate transfer of information was fired.
Tony Keck, department director, told WMBF that the transfer of information started in January and ended three weeks ago. "The information was not readily available, but it was available to him [the employee] through a normal reporting process, and that's where we've identified a security lapse that the department was not sufficiently requiring employees to justify their need for that information," Keck says. "That is a fairly easy lapse to close and we've done that."
The state health department has hired an external IT security firm to conduct a risk assessment of its data and IT systems security, according to the department's statement.
In another recent security incident involving Medicaid patients, as many as 780,000 Utah residents were affected when hackers accessed data on a state server.