Congress Probes TRICARE Breach

Bipartisan Effort to Learn More About Massive Incident
Congress Probes TRICARE Breach

Five members of Congress have sent a bipartisan letter to the director of TRICARE, the military health program, asking detailed questions about a recent breach that affected 4.9 million beneficiaries.

In the incident, a TRICARE business associate, Science Applications International Corp., reported that unencrypted computer backup tapes containing TRICARE patient information, including Social Security numbers, were stolen from an employee's car (see: New Offer for TRICARE Breach Victims). TRICARE already faces a class action lawsuit as a result of the case (see: TRICARE Hit With $4.9 Billion Lawsuit).

In the Dec. 2 letter, the members of the House of Representatives characterize the breach as "an extremely serious and substantial lapse in security" and point out that SAIC has been responsible for at least six other security incidents.

"SAIC has received more than $20 billion in federal contracts over the previous three fiscal years, according to USA," the letter notes. "This is despite the fact that federal officials have lodged complaints against the company's conduct for years."

Questions Asked

Among the many questions posed in the letter are:

  • What security precautions and protections does TRICARE require SAIC and other contractors to use in handling patient information?
  • Does TRICARE require SAIC or other contractors to have a formal, documented policy that requires patient information to be encrypted? If not, why not?
  • Was the handling of the backup tapes in the breach incident a violation of SAIC policy or TRICARE contract requirements?
  • Was TRICARE aware of SAIC's prior data breaches before awarding its contract with the firm?
  • If TRICARE was aware of SAIC's breach history, were additional safety precautions required to mitigate breach risks? If not, why not?
  • Going forward, will TRICARE require SAIC and other contractors to eliminate the physical transport of backup tapes in favor of a more secure, reliable method?

The representatives also ask TRICARE to provide a list all instances during the past 10 years in which patient information has been lost or stolen. They ask for a reply by Feb. 2.

Those who signed the letter include four members of the House Energy and Commerce Committee's Subcommittee on Oversight and Investigation. They are: Cliff Stearns, R-Fla., who chairs the committee; Diana DeGette, D-Colo.; Edward Markey, D-Mass., and Joe Barton, R-Texas. Also signing the letter was Robert Andrews, D-N.J., who serves on the House Armed Services Committee's Subcommittee on Oversight and Investigations.

A Call for Hearings

In commenting on the letter, consumer advocate Deborah Peel, M.D., of the group Patient Privacy Rights, says, "We hope this letter leads to Congressional oversight hearings into the industrywide culture of disregard for the privacy of military personnel's and all American's sensitive electronic health information."

She adds: "The worst serial corporate abusers should be penalized and prevented from getting federal contracts."

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network