A report by the State Law Enforcement Division answers some key questions about hundreds of improperly discarded medical records, in what is possibly one of the largest breaches of state-controlled confidential information ever.
The report reveals where the records came from, but how many people were affected in the breach remains unclear.
Other important questions about the case also have yet to be answered, namely whether it will involve fines against the party responsible for the breach – the S.C. Department of Health and Environmental Control.
At 10 pages single spaced, the report details a SLED investigation of the case, which prompted DHEC to revise its protocols for handling people’s private information. The agency also terminated one of its employees because of the incident.
The case made news statewide.
The SLED inquiry began after The Nerve obtained the records from a confidential source and returned them to DHEC in late February. The department then turned over the documents to the State Law Enforcement Division and asked SLED to try to figure out how they ended up where they were.
Where was that? A green roll-cart trash container designated for office paper at a public recycling center behind DHEC headquarters, on Bull Street in downtown Columbia.
Numbering at least a few thousand, the records list Social Security numbers, names, addresses, birthdates, phone numbers and other indentifying information. Some of the forms also contain highly sensitive details about people’s medical conditions, such as whether they are showing symptoms of breast cancer and other diseases.
The improper disposal of the documents ran afoul of state and federal laws designed to protect people against identity theft, one of the fastest growing crimes in South Carolina and nationally.
It can strike anyone, and often wreaks havoc on the finances of its victims.
The threat of identity theft recently was underscored in the Columbia area.
In March, 35-year-old Maribel C. Crespo was fired from her job as a sworn judicial security officer with the Richland County Sheriff’s Department and arrested on identity theft-related charges.
Crespo used her position “to obtain a victim’s Social Security number and date of birth to commit financial identity fraud,” applying for a credit card in the victim’s name and obtaining $3,000 from the victim, according to four Richland County arrest warrants.
In the investigation into the wrongfully discarded DHEC medical records, State Law Enforcement Division special agents Natalie Crosland and Bryan Jones interviewed more than a dozen people.
Those sources include a reporter with The Nerve and the anonymous person who found the documents in the recycling bin.
Two people were administered polygraph exams as part of the SLED probe and “deception was indicated” in one of the tests, according to the report. The Nerve obtained a copy of it under the S.C. Freedom of Information Act.
So, where did the records come from?
It’s one of the biggest questions about the case, and the SLED report answers it: DHEC offices on Saint Julian Place in Columbia.
Couriers with the agency pick up records from that site and other locations and transport them to DHEC headquarters, where the documents are shredded.
From beginning to end, that transportation and shredding process features tight controls, the report indicates.
Records are placed in sealed boxes for transport.
The destruction of documents at DHEC’s home offices takes place in a locked shredding room, according to the report. Access to the key to the room, and the room, is limited. “They have temporary employees who can shred but only if one of the full-time employees are in there with them,” the report says, citing one of the interviews.
The controls on the shredding process, and information some DHEC employees provided to agents Crosland and Jones, suggest that the workers knew that medical records should not be pitched at the recycling center.
The report says one of the employees told the agents that at one point “all the guys were sitting around and talking about the documents being disposed of somewhere unauthorized.”
Corresponding to dates on the improperly discarded records, agent Crosland obtained video surveillance of the Saint Julian Place location and the recycling center.
A third agent worked up a questionnaire. It was distributed to all employees with access to the shredding room.
“Upon reviewing the questionnaires from the couriers, it was obvious that they had been completed together,” the report says. “It was determined that each courier had to be interviewed.”
The deception the report identifies in one of the polygraphs surfaced when an employee replied “no” upon being asked, “Do you know for sure who put those files in the dumpster at DHEC and did you put those files in the dumpster at DHEC?”
Case Closed, But Fines Possible
However, the State Law Enforcement Division found that no criminal activity had taken place, and SLED closed the case on March 15.
That doesn’t necessarily mean that DHEC is off the hook, though.
The agency is notifying all of the people whose personal information was compromised to let them know that it could have fallen into the wrong hands.
The Department of Health and Environmental Control has been engaged in that process for nearly two weeks at least. But as of this dispatch being posted the agency had not determined how many people were affected.
The state and federal laws require such notification. And under the S.C. statute, fines could be involved.
Described as one of the toughest identity theft measures in the nation, the state law is named the Financial Identity Fraud and Identity Theft Protection Act. It became law just in 2008.
It is so new that the DHEC medical records case marks the first time the law could be applied to a state agency, according to Carri Grube Lybarker, staff attorney for the S.C. Department of Consumer Affairs.
“There are two sections that could be applicable,” Lybarker says of the law.
One portion addresses improper disposal of records by public bodies. But that part of the law is “very vague” as to who enforces it, she says. “My guess is it would possibly be the (state) attorney general, if anybody.”
The other potentially relevant section of the law isn’t vague about enforcement. It deals with unauthorized access to and acquisition of personal data stemming from a security breach.
In such a scenario, enforcement authority falls to the Department of Consumer Affairs and the agency can issue fines of up to $1,000 per person affected, Lybarker says.
Still, to this point Consumer Affairs has not been informed that the DHEC case constitutes a formal breach potentially subject to the law, she says.
In an effort to prevent it from happening again, DHEC has strengthened its procedures for handling people’s confidential indentifying information with a new shred control log. It requires supervisory signatures.
For everyone handling personal information, whether their own or someone else’s, prudence demands the utmost care in the era of identity theft.
Reach Ward at (803) 779-5022, ext. 117, or email@example.com.