Investigative reporting by The Nerve has led to an inquiry by the State Law Enforcement Division into how thousands of S.C. Department of Health and Environmental Control medical records ended up in a public recycling bin.
The improper disposal of the records exposed thousands of South Carolinians to the potential of identity theft and other dangers.
The records list Social Security numbers, names, phone numbers, birthdates, addresses, yearly income levels and other personal data. In some cases, the forms also contain highly sensitive medical information, such as the results of colonoscopies and other health screenings.
None of the information was blacked out or otherwise redacted.
Virtually all of the records have DHEC letterhead or the agency’s logo on them.
The records were discovered in a green roll-cart trash dumpster designated for office paper at a recycling center behind DHEC headquarters, at 2600 Bull St. in downtown Columbia.
A trusted source, who asked not to be identified because of the sensitive nature of the situation, provided The Nerve with a household trash bag full of the documents late in the afternoon Tuesday.
The Nerve examined a sample of the records and documented what kinds of forms they are and what types of information they contain. The Nerve did not record any details pertaining to any individual by name.
Less than 24 hours after obtaining the documents, The Nerve contacted DHEC to make arrangements to return them to the agency, and did so the following morning.
As The Nerve was preparing this report Friday, DHEC chief spokesman Thom Berry said the agency would provide The Nerve with a response about the incident by the end of business hours that day.
DHEC failed to do so. Instead, the agency issued a one-paragraph news release at about 4:45 p.m.
The release says in its entirety, “The S.C. Department of Health and Environmental Control has requested assistance from the S.C. Law Enforcement Division into allegations that DHEC documents were found in a City of Columbia public recycling bin located behind state agency office buildings on Bull Street.
DHEC has recovered and secured the documents, and turned them over to SLED. SLED is conducting a preliminary inquiry into this matter. More information will be released as it becomes available.”
SLED spokeswoman Jennifer Timmons confirmed the SLED probe.
News media outlets across South Carolina began reporting on the case after DHEC issued its news release.
The improper disposal of the documents runs afoul of federal and state laws intended to protect the confidentiality of people’s health and other personal information.
When a potential breach of that information occurs of this magnitude, the laws require the party responsible for the violation to notify everyone whose information might have been compromised that it could have fallen into the wrong hands.
The laws also require the responsible party to tell the federal government, the S.C. Department of Consumer Affairs and national credit reporting companies about the breach. Significant fines could be involved under the state statute.
Identity theft – often perpetuated by malefactors digging through trash – is a rapidly escalating crime that wreaks havoc on the finances of its victims.
One of the best ways to guard against it is to shred anything paper that contains personal identifying information.
The Nerve asked Consumer Affairs spokeswoman Maria Audas where a Social Security number ranks on the spectrum of such details that should be protected in an effort to prevent identity theft. “I would put it No. 1,” Audas said.
The roll cart containing the records was full and they were sitting at the top of it at a drop-off location for recyclables, behind DHEC’s home offices at 2600 Bull St. in downtown Columbia.
It is an open-access area that countless people use. Thus, anyone could have taken the records and had themselves a veritable identity-theft goldmine.
At this point, how the documents got there is a mystery.
But what is clear is that this case raises deeply troubling doubts about the ability not only of DHEC, but of government agencies as a whole, to protect people’s right to privacy by safeguarding their most sensitive, personal information.
After all, if this can happen, what other kinds of mishaps have occurred, or could take place, with public employees handling such material?
The possibilities are frightening, and compounded by technology.
In just one example, a June 2008 dispatch in The Chronicle of Higher Education says in part, “The theft of a desktop computer at the University of South Carolina has compromised the personal information of about 7,000 students and 130 staff and faculty members. This is the third computer-security breach at the university in the past two years, reports The State (newspaper) … “
The information included the Social Security numbers of the affected individuals.
The DHEC incident could expose the agency, and by extension state taxpayers, to costly lawsuits.
As for how many medical records were in the roll cart, it is not clear.
The trash bag full of them that was provided to The Nerve weighed a little more than 30 pounds.
Based on the weight of a standard 500-page ream of office paper – about 5 pounds – the bag contained some 3,000 records.
However, as the roll cart was filled to capacity, it might have held many thousands more.
The documents The Nerve sampled had January or February dates and included screening, billing and pre-authorization sheets, health insurance claim forms and invoices for health center visits.
The records were for people all over South Carolina.
In addition to Social Security numbers and the other indentifying data, some of the documents listed people’s number of family members, cell phone numbers and specific medical conditions.
Asked to describe DHEC’s protocols for disposing of medical records, DHEC chief spokesman Berry said in an e-mail that the agency keeps them for three years and then sends them to the S.C. Department of Archives and History.
That agency stores them for a certain number of years and then shreds them, Berry said.
Richard Harris, who oversees records management for Archives and History, says the department warehouses records from DHEC-run health departments at the State Records Center.
The center is located at 1942-A Laurel St. in Columbia, about 1.2 miles from DHEC headquarters.
Harris says Archives and History, at 8301 Parklane Road in northeast Columbia, does not store medical records available to the public for research.
On the Archives and History Web site, a list of DHEC documents kept at Archives and History includes “health records without mention of tuberculosis” under the heading “division of county health departments.”
However, the list says those records are “restricted.”
When The Nerve asked DHEC about the recycling drop-off location, Adam Myrick, another spokesman for the agency, said the S.C. Department of Mental Health owns that land and property adjacent to it.
Mark Binkley, general counsel for Mental Health, qualifies that assertion. Technically it’s Mental Health land, but DHEC controls it “and that’s their recycling operation,” Binkley says.
Asked whether Mental Health employees dispose of medical records at the site, he says, “I would hope to God we aren’t carting records over there and chucking them.”
Binkley described such a scenario as a “nightmare.”
He then cited a recent amendment to the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996. The revision to HIPAA requires entities the law covers, which include DHEC, to notify the federal government if their actions result in a security breach of private information involving more than 500 people.
The offending party also must tell each of those individuals that their information was compromised.
“And there have been some massive breaches,” Binkley says.
The U.S. Department of Health and Human Services maintains a list of them at http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html.
In addition, under the S.C. Financial Identity Fraud and Identity Theft Protection Act, parties that expose someone’s confidential information must notify them. If the security lapse involved more than 1,000 people, the responsible party also must let the state Department of Consumer Affairs and national credit reporting companies know about it.
Passed in 2008, the law mandates that entities disposing of confidential identifying information must ensure that it is “unreadable or undecipherable,” spokeswoman Audas says. “And that applies to agencies, all businesses. That applies to everybody.”
The statute carries both criminal and civil provisions. Violators can be fined varying amounts, although Consumer Affairs has not yet issued a fine pursuant to the law, according to Carri Grube Lybarker, staff attorney for the agency.
An undated brochure on the Consumer Affairs Web site says in part, “Identity theft is this nation’s fastest growing crime. According to the Federal Trade Commission’s Identity Theft Complaint Data Reports, over the past three years South Carolina has risen six places in the rankings of identity theft victims by state.”
Says the U.S. Department of Justice Web site: “Some criminals engage in ‘Dumpster diving’ going through your garbage cans or a communal Dumpster or trash bin – to obtain copies of your checks, credit card or bank statements, or other records that typically bear your name, address, and even your telephone number. These types of records make it easier for criminals to get control over accounts in your name and assume your identity.”
In many cases, the DOJ site says, “a victim’s losses may include not only out-of-pocket financial losses, but substantial additional financial costs associated with trying to restore his reputation in the community and correcting erroneous information for which the criminal is responsible.”
The DHEC breach should make everyone think twice about how they handle sensitive information, especially caretakers of large volumes of it.
Reach Ward at (803) 779-5022, ext. 117, or eric@scpolicycouncil.com.