Recent health data breaches highlight risk of inside jobs

Separate incidents in South Carolina and Georgia compromise the privacy of more than 500,000 patients.

By Pamela Lewis Dolan — Posted May 3, 2012

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

A former employee of the South Carolina Dept. of Health and Human Services was arrested after allegedly transferring the personal information of more than 228,000 Medicaid beneficiaries to his personal email and at least one other party. Meanwhile, in Georgia, computer disks containing 315,000 patients’ medical records that were stored improperly have gone missing.

To technology experts, both cases highlight the importance of practices ensuring that their employees know how to handle sensitive health data. According to Verizon’s 2012 Data Breach Investigations Report, 4% of the breaches investigated in 2011 by Verizon or one of the five other international organizations it partnered with to produce the report were caused by someone internally.

The actual number probably is much higher, because many breaches go undetected or are unreported for political reasons and handled internally, according to the report’s authors. For the third year in a row, the report said, nearly all of the internal breaches were the result of deliberate and malicious intent.

Christopher Lykes, a former South Carolina Dept. of Health and Human Services employee, was arrested on April 19 by the South Carolina Law Enforcement Division and charged with five counts of “medically indigent act confidentiality violations” and one count of disclosure of confidential information.

The arrest came after the state HHS discovered the transfer during an agency performance review and asked law enforcement officials to investigate on April 10. State agents took possession of Lykes’ work and personal computers and determined that he sent the information of 228,435 Medicaid beneficiaries to a personal email account and at least one other party.

State HHS spokesman Jeff Stensland said he could not comment on what Lykes may have been doing with the information, because the investigation is ongoing. State HHS Director Anthony Keck released a statement saying he was deeply disappointed that one of the department’s employees allegedly would violate the public’s trust. He said the department is “deeply apologetic for not preventing the inappropriate release of this information.” Neither Lykes nor his attorney has commented on the case.

The South Carolina incident was one of two major breaches announced in April. The other was a breach of information belonging to 315,000 Emory Healthcare surgical patients in Atlanta. The system announced in April that it discovered 10 backup disks containing patient data missing from a storage facility at Emory University Hospital. Emory Healthcare President and CEO John T. Fox said the files were from an obsolete software system that was deactivated in 2007. The disks were kept in a locked office, but they were in a cabinet that should have been locked, Fox said. The hospital is trying to determine what happened to the disks.

On the disks were the records of surgical patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and the Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007. The organization determined that about 228,000 of the records included Social Security numbers.

There’s no evidence that the information has been misused, but the affected patients will be provided with identity protection services including credit monitoring. Among the affected patients: Fox, Emory CEO.

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn