COLUMBIA — South Carolina’s inspector general is reviewing the security systems of state agencies after the theft of more than 228,000 Medicaid patients’ personal information, Gov. Nikki Haley said Monday.
A former project manager of the Department of Health and Human Services was arrested April 19 and accused of compiling the data on a spreadsheet and sending it to his private e-mail account. Christopher Lykes Jr., 36, was charged with five misdemeanor counts of violating the confidentiality of medical indigents and one count of disclosing confidential information. He faces up to 10 years in prison if convicted of all charges.
Haley said she told State Law Enforcement Division Chief Mark Keel to make an example of him.
“I told him, ‘Slam him to the wall,’ ” Haley said after a Cabinet meeting in which all agency directors gave a rundown of their security procedures and any changes they’ve made.
No one answered the phone at a number believed to be Lykes’ Swansea home. Keel declined to comment on the investigation, and state police didn’t know whether Lykes had an attorney.
Also Monday, state Attorney General Alan Wilson announced that his office would be taking over the Lykes case at the request of local prosecutors, who said the man was related to someone in their office. A spokeswoman for Solicitor Dan Johnson said Lykes’ cousin works in the prosecutor’s pretrial intervention office.
Notification letters to affected Medicaid patients were mailed last week, informing them of the situation and inviting them to call a hotline, said Tony Keck, the director of the state’s Medicaid agency. Postings about the breach were sent to medical offices, and the agency is advertising on the radio and in newspapers. Also, an independent audit of the agency’s security procedures and technology will start next week, he said.
Haley said no known cases of identity theft have surfaced, but that’s why the agency is reaching out to clients via ads and by mail.
Haley told her Cabinet directors to make it clear to supervisors that they also would suffer repercussions from any similar theft.
“If a supervisor has this happen under their watch, they will get fired, because this is not just about one employee. They are responsible too,” she said. “We all appreciate our employees, but we also need to remind them they are responsible, and if something happens under their watch, they will pay the price.”
Comptroller General Richard Eckstrom took issue with that later in the meeting, saying he’d never tell supervisors they’re automatically fired if there’s ever a breach. Such action should depend on whether they helped, or acted incompetently or negligently, he said.
“He has his agency, and I have my Cabinet,” Haley said.
Keck is analyzing whether anyone else should be fired, she said.
While most firms and government agencies have many safeguards in place from external access threats such as hacking, the culprit increasingly comes from inside. Breaches often arise because something’s happened in employees’ lives to make fast cash attractive, or they’ve been reprimanded or fired, said Inspector General Jim Martin, cautioning directors not to rely on background checks at hiring.
Agency directors said their policies include limiting employees’ computer access to their specific duties and limiting their ability to download data. Several said they’re also starting annual reviews of their policies, to keep up with technology, and re-training of employees.
In the case of the Medicaid information, Haley said, the agency had software in place that would raise red flags if numbers were included in the body of an e-mail, but not if it was included as part of an attachment to an e-mail.
“Our job is to protect the information of the public – to make sure we don’t have breaches in the process,” she said. “What this meeting was about today is, ‘What are you doing? Whatever it is is not enough.’ ”