By RICK BRUNDRETT
For 10 years, a proviso tucked away in the state budget has given lawmakers and multiple S.C. agencies access to a massive “data warehouse” containing personal medical records of many South Carolinians.
Now, lawmakers want to launch a similar database that would track sensitive education and workforce information on children and adults in the Palmetto State. The system would be created under another budget proviso passed last week by legislators and now under review by the governor.
The proposed “data warehouse” could be as large as the existing health care version – created in 2002 through a budget proviso and renewed annually via a proviso. Both systems could, in theory, pull private records from each other, effectively creating an even larger, state-run electronic bank of personal information.
In addition to the primary concern of what these databases exist to do, there are multiple privacy questions that are not specifically addressed in the provisos, including the identification of individuals and the release of information to third parties – not to mention the mischief possible when powerful politicians have access to sensitive information.
The existing health “data warehouse” is managed by about 20 workers in the S.C. Revenue and Fiscal Affairs Office, though the agency wouldn’t provide specifics to The Nerve about how it protects private information.
“Under no circumstances will personally identifiable information be accessible or released to legislative members or their staff,” the RFA said in a written response last week to The Nerve.
Yet since fiscal 2007-08, “internet-accessible secure analytic query tools” are supposed to be “made available to members of the South Carolina General Assembly and their research staff members, state agencies, and researchers,” according to the health “data warehouse” proviso.
Similar language is used in the other proviso that would create the education and workforce “data warehouse.”
How deep lawmakers and others with approved access can digitally dive into personal data isn’t specified in the provisos. Under state law, it’s a crime – punishable by up to five years in prison and a $5,000 fine – for public officials or public employees to “wilfully examine” certain confidential records “if the purpose of the examination is improper or unlawful.” Federal laws also prohibit the unauthorized release of health and student records.
But a privacy rights expert who reviewed the fiscal 2018-19 “data warehouse” provisos at The Nerve’s request expressed concerns about the lack of specific privacy protections in the budget bill’s language.
“No matter how tightly you think you have things locked down, there are always risks of data being breached,” said Paul Stephens, the director of policy and advocacy at the nonprofit Privacy Rights Clearinghouse in San Diego.
“It could be someone from the outside who hacks into the system,” he continued, “or it could be internally by someone who has legitimate access to the data but uses it for a purpose for which it was not intended.”
A main problem with the education and workforce “data warehouse” proviso passed last week, Stephens said, is that “it’s difficult from the statutory language to know exactly what this is going to look like.”
More than five years after the S.C. Department of Revenue suffered the worst cyberattack in state government history – about 3.6 million taxpayers’ Social Security numbers were exposed to hackers under then-Gov. Nikki Haley’s watch – the case remains “an ongoing investigation,” a State Law Enforcement Division spokesman told The Nerve, though neither that agency nor the U.S. Department of Homeland Security would comment on any specifics.
And data breaches involving government agencies aren’t always sophisticated. The Nerve in 2010, for example, revealed the improper disposal of thousands of paper medical records maintained by the S.C. Department of Health and Environmental Control, which led to a SLED inquiry.
Those records contained names, Social Security numbers and other personal information. In some cases, the written forms contained sensitive medical information, such as the results of health screenings, including colonoscopies.
The existing health “data warehouse” contains, among other information, “medical claims data” provided by the S.C. Department of Health and Human Services, including the names, dates of birth and medical treatment records of Medicaid patients, agency spokeswoman Colleen Mullis told The Nerve last week. She didn’t know many individuals’ digital records HHS has provided; over 1 million South Carolinians enroll in Medicaid each fiscal year, records show.
Besides HHS, at least 15 other state agencies or divisions dealing with health issues, including DHEC and the state mental health and disabilities departments, as well as “(o)ther agencies as deemed necessary by the Revenue and Fiscal Affairs Office,” are required under the annually renewed budget proviso to “collect and provide client data in formats to be specified” by the RFA.
Mullis said digital records provided by HHS to the RFA are included in the nonprofit South Carolina Health Information Exchange, or SCHIEx for short, described on its website as “an innovative statewide highway information system that allows participating health care providers to view a patient’s medical history, including medications, diagnoses and procedures.”
Asked how many total individuals are identified in the health “data warehouse” maintained by the RFA, the agency in its written response to The Nerve said, “This statistic is not maintained.”
‘Person-level’ data tracked
It’s unclear whether Republican Gov. Henry McMaster will veto budget proviso (102.3) renewing the “South Carolina Health and Human Services Data Warehouse,” or the separate proviso (117.156) creating the “South Carolina Industry, Workforce and Education Data Warehouse.” The South Carolina Policy Council, the parent organization of The Nerve, last month analyzed the proviso creating the education and workforce “data warehouse.”
Lawmakers forced state agencies to continue operating under the fiscal 2017-18 budget after passing the 2018-19 budget on the last week of the fiscal year – which ended Saturday – without giving the governor the normal time period to issue any budget vetoes.
The Revenue and Fiscal Affairs Office, which would oversee the proposed education and workplace “data warehouse,” is governed by a three-member board appointed by the governor and chairmen of the budget-writing House Ways and Means and Senate Finance committees.
The budget proviso creating the new computer system was first passed in April by the Senate Finance Committee, chaired by Senate president pro tempore Hugh Leatherman, R-Florence.
That tracking system would link “person-level data” from the state departments of Commerce, Education and Employment and Workforce; the state technical college system; S.C. First Steps to School Readiness; the Commission on Higher Education; and “other entities as deemed necessary by mutual agreement of” the RFA, the state Coordinating Council for Workforce Development, and a newly created “Workforce and Education Data Oversight Committee (WEDOC).”
The RFA would be tasked with developing procedures – with WEDOC’s approval – for “sharing information and coordinating efforts among stakeholders to prepare the state’s current and emerging workforce to meet the needs of the state’s economy.”
According to an information sheet provided to House members by Ways and Means staff and obtained by The Nerve, a new “individual identifier” would be created to track individuals in the proposed “data warehouse,” though the identifier would not be a Social Security or driver’s license number, or any other existing number that “could potentially identify a specific individual.”
“At no point in this process would any state agency or partners have access to the PII (personally identifiable information) from another state agency or partners,” according to the information sheet.
Still, Stephens, of the Privacy Rights Clearinghouse, said it’s “possible in some situations to re-identify the person” even with “anonymized data.” He cited the example of former Mass. Gov. William Weld, whose private health records were discovered in the 1990s by a computer science graduate student who linked available public records to a publicly released state insurance database that listed hospital visits of state employees, who weren’t identified.
“Privacy advocates are always concerned when there is a warehousing of information,” Stephens said.
Hannah Hill, senior policy analyst with the South Carolina Policy Council, contributed to this story. Brundrett is the news editor of The Nerve. Contact him at 803-254-4411 or firstname.lastname@example.org. Follow him on Twitter @RickBrundrett. Follow The Nerve on Facebook and Twitter @thenervesc.
Nerve stories are free to reprint and repost with permission by and credit to The Nerve.