The department discovered on April 10 that an employee, since terminated, transferred 17 spreadsheets dating back to Jan. 31, 2012, to a personal email account. Police are investigating but the department does not yet know the reason for the transfers.
The compromised data included names, addresses, birth dates, phone numbers and Medicaid ID numbers, and Social Security numbers in 22,604 cases where a Medicare number was linked to beneficiaries’ names.
The breach affects beneficiaries in six South Carolina counties. The department is offering affected beneficiaries one year of credit and identity protection services, including a $1 million identity theft insurance policy, from Experian. The agency also has frozen access to aggregate PHI for much of its staff and hired an outside firm to conduct a risk assessment of its data and I.T. systems security.
In notification letters and in a prominent notice at the top of its Web site, the department cautions beneficiaries to be aware of scammers who learn of the breach: “SCDHHS and its authorized partners will never contact you by phone or letter asking for personal information such as your Social Security number. Do not give out your Social Security number or other information to anyone you have not contacted.”
Further, the department has issued a Medicaid Bulletin alerting providers of the breach. “SCDHHS is taking appropriate steps for notification,” the bulletin states. “As a Medicaid provider, you may be asked about this incident. We encourage you to print and distribute the attached flyer, which is running in newspapers statewide. Please be aware that this incident does not involve medical information and does NOT affect any current beneficiaries’ Medicaid eligibility status.”