Email included sensitive medical, financial information
By RON AIKEN
In a potential violation of federal privacy laws, a nonprofit organization run through the Department of Revenue improperly released the names and disabilities of 2,070 students statewide and then never told anyone affected, Quorum has learned.
The disclosure was in a Sept. 14 email from David Laird, at the time the executive director of Exceptional SC, to Gillian BArclay-SMith of the private Barclay School in Ridgeway. Laird was providing information about scholarships for students with exceptional needs.
Exceptional SC and was created by the Legislature as the result of a special budget proviso (Proviso 109.15) to oversee South Carolina’s controversial program, created in 2013, that gives tax credits to those who donate to scholarships for exceptional needs children. The state stepped in after questions were raised about how some private organizations were administering the scholarships.
Attached to Laird’s email was a 24-page spreadsheet that was given to Quorum with the names redacted. It includes information on each child’s learning, intellectual, developmental or emotional disability as well as any physical impairment such as blindness or deafness.
The spreadsheet also includes sensitive financial information for each child, such as the amount of tuition and fees at the private school they attend (from $2,400 to $268,000), how much scholarship funds they were awarded in the fiscal year that ended June 30 (a maximum of $11,000 yearly) and the amount requested for this school year.
HIPPA, FERPA POTENTIALLY IN PLAY
According to Jacqueline Pavlicek, an attorney at Callison Tighe specializing in privacy, data protection, data breach response and information security, the dissemination of that information could possibly qualify as a violation of multiple federal laws, specifically the Health Insurance Portability and Accountability Act (HIPAA), which protects the privacy of patient medical records, and the Family Educational Rights and Privacy Act (FERPA), which governs the collection, storage, and dissemination of the personal information of students in the educational environment.
“(The release) could fall under HIPAA if the government decides the charity is a covered entity,” Pavlicek said. Covered entities typically are health care providers (including Medicaid and Medicare), insurers, health care clearinghouses and other entities legally responsible for patient information.
“Non-medical and business entities also can fall under HIPAA if they handle covered material.”
On the government’s Centers for Medicaid and Medicare Services website, one definition of a ‘covered entity’ under HIPAA is whether a person, business or agency transmits or sends a covered transaction electronically.
If HIPAA does apply, Pavlicek said there are important deadlines that must be met.
“The first is that there’s a 60-day requirement to notify the individuals affected by the breach, which in this case would probably be the parents,” Pavlicek said. “If more than 500 people are involved, you have an obligation to notify the federal Department of Health and Human Services immediately. If there are 500 people or more in the same jurisdiction, you have an obligation to inform the media.”
No such actions were taken by Exceptional SC, Quorum has confirmed, and all the above deadlines have come and gone.
HIPAA violations can only be determined by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights, and an investigation can only begin after a complaint is filed.
Fines for HIPAA violations are decided on a case-by-case basis and administered according to the severity of the violation, according to the American Medical Association, and range from “Unknowing” (minimum $100 per violation), “Reasonable Cause” (minimum $1,000 per violation), “Willful neglect but violation is corrected within required time period” (minimum $10,000 per violation), and “Willful neglect and not corrected within the time period (minimum $50,000 per violation). All categories have a maximum fine of $50,000 per violation and an annual maximum of $1.5 million per year.
“My guess is that the responsibility for sensitive medical information goes downstream, from the doctor providing the diagnosis to the agency who is bound by HIPAA,” Pavlicek said. “Say someone consents releasing medical records to me as an attorney, if I chunk them out in the dumpster, I’m on the hook for what happens to them.”
The release also could have violated FERPA protections, Pavlicek said, given the sensitive personal financial information that was disseminated. Violations of FERPA law fall under the U.S. Department of Education.
“You’re talking about private financial information in an educational setting,” Pavlicek said. “FERPA covers the release of private student information, and I would think the amount of scholarship money a student is receiving is private educational information.”
Like a HIPAA violation, the only way the Department of Education investigates is following a complaint, though penalties are generally milder than HIPAA’s and are remedial in nature, Pavlicek said.
‘IT WAS HUMAN ERROR’
The email was one of many sent by Laird as he tried to build an accurate student database from scratch, according to according to Tom Persons, board chairman of Exceptional SC. Persons said no other schools received the data and the inclusion of the entire database was unintentional and unfortunate.
“It was an inadvertent mistake that was handled immediately,” Persons said. “We learned of it, I want to say, about 10 minutes after it was sent the same morning, and the headmaster promised me (they) would delete the email immediately.
“I took them on their word.”
If the email containing the spreadsheet was deleted, it was not before it was forwarded to Jeff Davis and Olga Lisinska of Palmetto Kids First, previously the largest SFO in the state whose 2016 audit by DOR and the concerns of legislators led directly to control of the fund being taken out of private hands.
“How that (list) got to Jeff I have no idea,” Persons said. “If someone shared it, they also may have some problems.
Besides the known forwarding of the list, it is nearly impossible to know how much farther it may have traveled or to whom the email was forwarded on purpose or by accident, Pavlicek said.
“It’s so difficult to claw back an email once it’s sent,” Pavlicek said. “You can say you deleted it, but you also may have clicked a box sending it to your entire organization, and even if you did, nothing is ever really deleted for a forensic computer expert.”
When asked if Persons, whose full-time job is president and CEO of the South Carolina Technology Alliance, believed the release of the information to be a potential violation of federal privacy laws at the time, he wasn’t certain.
“I’m not an expert in that area,” Persons said. “I trusted the (person) who assured me (they’d) destroy it.”
After the email Laird was counseled, Persons said, and subsequently resigned.
“His security badge was taken and it was dealt with professionally,” Persons said. “He made the decision that it was best for him to leave.
“It was human error, and we dealt with it.”
Exceptional SC has yet to replace Laird.
What comes next depends on whether a parent or parents file a complaint with either HHS’s. What is certain is that if a student’s medical or psychological condition was exposed it could result in direct harm to the student on multiple levels, Pavlicek said.
“Just having the name of the student to start with as participating in a program for students with special needs can carry a stigma,” Pavlicek said. “Not everyone has needs that are obvious.
“Then you have the knowledge that they’re receiving scholarships and how much plus the sensitive health information.
“Wherever the law may fall, and this is a strange situation because it’s a government agency holding student financial and medical information, this information is extremely sensitive and private and should have been safeguarded better.”
The potential release of the disabilities and identities of thousands of children was specifically articulated by Palmetto Kids First before DOR ever took over the program.
Facing allegations from legislators and competing fundraisers about Palmetto Kids First’s fundraising tactics, DOR launched an audit of the SFO completed in 2016 that concluded, among other allegations, that Palmetto Kids First engaged in quid pro quo financial relationships in which parents with children whose children qualified for the scholarships and who donated all received scholarships, a charge Davis and Lisinska have denied.
As part of that audit, DOR requested private information about Palmetto Kids First’s donors and students. In an affidavit dated Feb. 25, 2015, in a civil case brought by Palmetto Kids First against DOR in which it attempted to block the agency’s request for the release of its private student and donor information, DOR auditor Ricky Taylor took pains to emphasize the safeguards in place to prevent the escape of any such information.
“Lastly, it is my understanding that the Plaintiffs in this case (Palmetto Kids First) are concerned about the potential that the Department may, advertently or inadvertently, improperly disclose confidential information or portions of the Requested Information related to the Palmetto Kids First, its donors and scholarship recipients once received by the Department,” said Taylor swore. “The information sought under the Summons in this case pertains to corporate and individual income taxes under Chapter 6 of the Title 12 of the SC Code of Laws and would be considered confidential taxpayer information.
“I can confirm that the Department in general, and the auditing department in specific, has multiple security measures in place in order to assure that confidential information is not improperly disclosed.”
Taylor mentions such safeguards as including “specific job qualifications and clearances” required by auditors before viewing any confidential data and the storage of hard copies of data in locked office drawers.
“Additionally, the Department’s auditors do not send any taxpayer information via e-mail or other electronic means, unless the taxpayer specifically authorizes such communication,” Taylor swore.
“Finally, the Department’s auditors are fully aware that improper or unauthorized disclosure of taxpayer information may result in penalties, dismissal from employment and possible criminal prosecution under S.C. Code Ann. S 12-54-240, which prohibits the disclosure of taxpayer information.”
DOR deferred all comments on the matter to the governing board of Exceptional SC.
Reach Aiken at (803) 200-8809. Email him at firstname.lastname@example.org. Follow him on Twitter @RonAiken and @QuorumColumbia and like Quorum on Facebook.