The state health department has notified more than 1,800 people that they could be at risk of identity theft because medical records in the agency’s control ended up in a public recycling bin.
In a case prompted by The Nerve’s investigative reporting, the S.C. Department of Health and Environmental Control announced the scope of its notification efforts today in a news release.
The number of South Carolinians potentially affected in the breach of their identifying information holds serious implications for DHEC.
It already has led to an investigation by the State Law Enforcement Division; the termination of a DHEC employee the department deemed responsible for the breach; and a change in DHEC’s protocols for handling people’s confidential information.
But the most far-reaching impact of the case for the agency – and the public – involves the notification process.
Federal and state laws designed to protect people against identity theft require DHEC to inform those whose information was in the recycling bin that their personal data could have fallen into the wrong hands.
Identity theft is one of the fastest-growing crimes in South Carolina and nationally, often causing severe financial harm to its victims.
Also pursuant to the federal and state laws, DHEC Commissioner Earl Hunter says in the news release, “We’ve notified the three national credit reporting agencies and the S.C. Department of Consumer Affairs of this incident.
“As required by HIPAA (the Health Insurance Portability and Accountability Act), we’ve also reported this matter to the federal Department of Health and Human Services.”
Under U.S. law, a party responsible for a breach involving 500 or more people must report it to the federal HHS agency, which catalogues the breaches in a database that can be viewed here.
Bill Hall, director of the federal agency’s press office, would neither confirm nor deny that the U.S. Health and Human Services department has been notified of, or is looking into, the DHEC breach.
Under state law – the Financial Identity Fraud and Identity Theft Protection Act of 2008 – DHEC could be subject to fines because of the breach.
Carri Grube Lybarker, staff attorney for Consumer Affairs, says the agency is reviewing the statute to determine whether fines will be forthcoming.
DHEC and Consumer Affairs officials have discussed the case, and DHEC has asked Consumer Affairs for its interpretation of the law as it relates to the breach, Lybarker says.
“This is the first time a state agency has been involved in an incident that possibly falls under the law,” she says.
The container in which the medical records were pitched – a green roll cart designated for office paper – is located at a public recycling center behind Department of Health and Environmental Control headquarters, on Bull Street in downtown Columbia.
In late February, a confidential source found the documents in the bin at the recycling center and provided them to The Nerve. Numbering at least a few thousand, the records were in a household trash bag weighing a little more than 30 pounds.
The Nerve examined a sample of the documents, recording what types of information they contained, and returned them to DHEC less than 36 hours after obtaining the forms.
The department then turned them over to the State Law Enforcement Division and asked SLED to investigate how they ended up where they were not supposed to be.
“(DHEC) policy requires that documents containing personal identifying information must be disposed of by shredding,” Hunter says in the release.
As a result of this breach, he says, “We now require tracking of documents until shredding has been completed.”
That involves a revised “shred control log,” which supervisory personnel must sign.
In its investigation, SLED interviewed more than a dozen sources, including a reporter with The Nerve and the anonymous person who discovered the records, but found that no criminal activity had occurred in the incident.
SLED closed its case in mid-March.
That’s when DHEC axed its employee.
Although The Nerve repeatedly has reported in detail what kinds of information the records list, DHEC’s news release marks the first time the agency has done so.
It says the information “might have included: name; address; telephone number; date of birth; gender; race; type of appointment; income level; Social Security number; a brief medical history related to breast or cervical cancer screenings, colorectal cancer risks, or heart disease risk; blood pressure; weight and height; radiology reports, laboratory reports, results of colorectal screenings; bills for program-paid services; and/or the physician’s name.”
The federal HIPAA law mandates that the Department of Health and Environmental Control “issue a broad notification to the affected area,” the agency’s announcement says.
The records pertain to people who received health care services through three DHEC programs.
The agency says it has notified 1,824 people by letter that their information was potentially compromised in the breach.
“We’ve also notified 1,026 individuals whose information was submitted to us for processing in these programs during this time period, even though the documents returned to us did not include information about these individuals,” the release says.
“Since we can’t be certain that all of the documents have been recovered, it is possible that information about these individuals might also have been improperly placed in the recycling container.”
In all, so far DHEC says the agency has notified 2,850 people of the breach, not including officials with the federal and state agencies.
Reach Ward at (803) 779-5022, ext. 117, or eric@scpolicycouncil.com.