The password-protected laptop, stolen Oct. 16, contained names and Social Security numbers of 3,432 people who were part of the high-risk pool in 2011 and 2012, said Cynthia Hutto of Nelson Mullins Riley & Scarborough. The Legislature created the South Carolina Health Insurance Pool in 1989.
The laptop was stolen from a car outside the home of a DeLoach & Williamson auditor. The Richland County Sheriff’s Department was called Oct. 17, and the pool was notified Oct. 21. The computer was never recovered and officials are unaware of any fraud from the theft.
“There’s absolutely no indication that anything’s been accessed or used,” said Kevin Dolan, of Nelson Levine de luca & Hamilton in Pennsylvania, speaking for the auditing firm.
Letters notifying affected members did not go out until Dec. 18.
Hutto said that’s because it took time to determine what information was stolen, hire a company to notify members and set up a call center and credit monitoring for them. DeLoach & Williamson is covering those costs, both Hutto and Dolan said. Neither knew the tally.
“First, we had to determine what type of information was included,” Hutto said, adding that “getting the pieces in place” also included getting members’ addresses.
Of the 3,432 affected members, 91 have addresses outside the state – 25 of them in North Carolina. They have until March 31 to sign up for a year of credit monitoring services through the credit bureau Experian, funded by the firm. The call center went live Dec. 19.
About 1,500 people are currently insured through the pool, according to Blue Cross Blue Shield of South Carolina, which the board pays to administer the program.
It’s DeLoach & Williamson’s first experience with a stolen laptop. The employee has been re-trained on the firm’s policies to prevent it from happening again, Dolan said.
Cyber security has been a politically hot topic in South Carolina since fall 2012, when the Department of Revenue became victim to the largest single hacking of a state agency nationwide. In that case, a computer hacker stole unencrypted personal data belonging to 6.4 million people and businesses from tax returns dating to 1998.
That cyber-theft occurred in mid-September 2012. State officials learned about it Oct. 10 after being contacted by the U.S. Secret Service.
Gov. Nikki Haley announced the breach 16 days later, saying law enforcement didn’t allow her to do so earlier, though critics continue to question the delay. Affected taxpayers didn’t begin receiving notifications through email or letters until last December. It is unclear whether anyone became a victim of identity theft due to the hacking, but taxpayers have spent tens of millions of dollars to clean up that debacle.