A state employee inappropriately gained access to personal information for more than 228,000 Medicaid beneficiaries, a security breach that prompted the Department of Health and Human Services to take measures to offer credit protection services to the individuals involved.
Christopher Lykes Jr., 36, of Swansea, was arrested Thursday and charged with five counts of violating medical confidentiality laws and one count of disclosure of confidential information, according to SLED. Lykes also is a former member of the executive committee of the Lexington County Democratic Party.
HHS discovered the breach on April 10 and fired Lykes the following day after seizing his personal and work computers. Lykes allegedly gathered names, phone numbers, addresses, birth dates and Medicare ID numbers and sent them to his unsecured, personal email account, according to HHS director Tony Keck.
“This is an extremely serious matter,” Keck said. “This individual’s actions exposed a specific security weakness inside the agency that we have corrected. This was not an external event where someone hacked into the agency.”
HHS, as administrator of federal Medicaid claims, has access to personal information for hundreds of thousands of South Carolinians. Those receiving Medicaid funds are among the most vulnerable of the population, either poor or handicapped.
The state HHS suffered a breach of personal data in 2006 when a computer with personal information was disposed of improperly. But this one is different, apparently intentional.
“It is our duty to secure that information,” Keck said. “We are disappointed that one of our own would violate that trust and are deeply apologetic for not preventing the inappropriate release of this information.”
HHS officials first investigated Lykes when tipped by service providers who worked through him about slow response times for claims. That performance review discovered the security breach, Keck said.
Social Security numbers are used as the Medicare ID numbers, making that the most troublesome of the breaches. Investigators believe Medicare ID numbers were gathered for 22,604 individuals. They don’t believe any individuals’ health or financial information was compromised.
Some of the information was passed on to at least one other person, according to SLED director Mark Keel, who offered only sketchy information because the incident is still under investigation.
Keck couldn’t come up with a scenario in which the breach was simply a mistake by the employee. Too much information was gathered outside Lykes’ job responsibilities.
“I’ve woken up every morning for the past week praying that somehow I could find a reason, or the individual who committed the act would tell us this was just a big mistake,” Keck said. “So far we’ve been provided with no reasonable explanation of why the employee would have this information.”
Keck and Keel were careful in their comments during the Thursday morning media briefing, held before Lykes’ arrest, but Gov. Nikki Haley was blunt.
“An employee completely abused the information that they had and used it for personal gain,” Haley said. “That is the most despicable thing you can ever expect to happen in state government. We’re going to make sure that the proper people are prosecuted, and we’re going to make sure this does not happen again.”
The information collected can be used to bill Medicare/Medicaid for things such as power wheelchairs or scooters, said health care economist Lynn Bailey. Such scams have popped up often in Florida in recent years.
While the Medicaid beneficiaries involved in the breach live throughout the state, more than 90 percent reside in six Midlands counties – Richland, Lexington, Orangeburg, Bamberg, Barnwell and Allendale.
To protect all of the clients whose information was compromised, the state has contracted with identity protection firm Experian to provide each of them a free credit report, daily credit monitoring and a $1 million identity theft insurance policy. That protection will cost the state $800,000 to $1 million, Keck said.
There could be millions of dollars of additional fines by federal and state agencies for not safeguarding the information properly, Keck said.
Letters will be mailed Saturday or Monday to the home addresses of the Medicaid clients whose information has been compromised. They will be provided a personal activation code and asked to call (888) 829-6561 to get more information about the identity protection program. The hot line already is being staffed, but state officials would prefer if people wait until they receive letters to call.
More information, and a link to Experian, is available at myscmedicaid.org.
Haley stressed that nobody from the state will be calling Medicaid recipients to ask about the situation. If people receive calls, they should not give out any information.
Lykes was a program coordinator but had no supervisory role. The information gathered inappropriately was sent in 17 spreadsheet files to his personal email, starting on Jan. 31 and ending April 2. His email account has been checked back to 2008, and no other breaches were found, Keck said.
HHS is checking Medicaid claims to determine if any improper claims have been submitted for the individuals whose information was compromised, Keck said.
SLED has filed search warrants to be allowed to track Lykes’ Yahoo email account to determine if he passed the information along to anyone else, Keel said.
Haley asked Inspector General James Martin to investigate personal information procedures in all Cabinet agencies to try to prevent similar problems.
Martin pulled out of his pockets a BlackBerry device, a small, portable hard drive, a thumb drive and a USB cable. Using those devices, he said, he could download information from a work computer and take it home.
Martin said the agencies need to come to terms with “how do we control these things from a technology standpoint and make sure employees understand the dangers of copying data to these personal storage devices.”
Lexington County Democratic Party chairwoman Kathy Hensley said Lykes resigned from the county committee last month for unexplained reasons. She termed his arrest “a shocker.”
Several state and federal agencies will investigate the case because of the nature of the breach. At the least, Keck expects probes by the FBI, the federal Health and Human Services’ Office for Civil Rights, and the S.C. Department of Consumer Affairs.