Recent health data breaches highlight risk of inside jobs
■ Separate incidents in South Carolina and Georgia compromise the privacy of more than 500,000 patients.
By Pamela Lewis Dolan — Posted May 3, 2012
A former employee of the South Carolina Dept. of Health and Human Services was arrested after allegedly transferring the personal information of more than 228,000 Medicaid beneficiaries to his personal email and at least one other party. Meanwhile, in Georgia, computer disks containing 315,000 patients’ medical records that were stored improperly have gone missing.
To technology experts, both cases highlight the importance of practices ensuring that their employees know how to handle sensitive health data. According to Verizon’s 2012 Data Breach Investigations Report, 4% of the breaches investigated in 2011 by Verizon or one of the five other international organizations it partnered with to produce the report were caused by someone internally.
The actual number probably is much higher, because many breaches go undetected or are unreported for political reasons and handled internally, according to the report’s authors. For the third year in a row, the report said, nearly all of the internal breaches were the result of deliberate and malicious intent.
Christopher Lykes, a former South Carolina Dept. of Health and Human Services employee, was arrested on April 19 by the South Carolina Law Enforcement Division and charged with five counts of “medically indigent act confidentiality violations” and one count of disclosure of confidential information.
The arrest came after the state HHS discovered the transfer during an agency performance review and asked law enforcement officials to investigate on April 10. State agents took possession of Lykes’ work and personal computers and determined that he sent the information of 228,435 Medicaid beneficiaries to a personal email account and at least one other party.
State HHS spokesman Jeff Stensland said he could not comment on what Lykes may have been doing with the information, because the investigation is ongoing. State HHS Director Anthony Keck released a statement saying he was deeply disappointed that one of the department’s employees allegedly would violate the public’s trust. He said the department is “deeply apologetic for not preventing the inappropriate release of this information.” Neither Lykes nor his attorney has commented on the case.
The South Carolina incident was one of two major breaches announced in April. The other was a breach of information belonging to 315,000 Emory Healthcare surgical patients in Atlanta. The system announced in April that it discovered 10 backup disks containing patient data missing from a storage facility at Emory University Hospital. Emory Healthcare President and CEO John T. Fox said the files were from an obsolete software system that was deactivated in 2007. The disks were kept in a locked office, but they were in a cabinet that should have been locked, Fox said. The hospital is trying to determine what happened to the disks.
On the disks were the records of surgical patients treated at Emory University Hospital, Emory University Hospital Midtown (formerly known as Emory Crawford Long Hospital) and the Emory Clinic Ambulatory Surgery Center between September 1990 and April 2007. The organization determined that about 228,000 of the records included Social Security numbers.
There’s no evidence that the information has been misused, but the affected patients will be provided with identity protection services including credit monitoring. Among the affected patients: Fox, Emory CEO.