TRICARE Breach Affects 4.9 Million

Incident Involves Theft of Backup Tapes
TRICARE Breach Affects 4.9 Million
About 4.9 million patients treated in San Antonio area military treatment facilities since 1992 have been affected by a health information breach involving the theft of backup tapes for electronic health records, federal officials say. If the numbers hold up, this would be the largest breach reported since the HIPAA breach notification rule, mandated under the HITECH Act, took effect in September 2009.

The Defense Department's TRICARE healthcare program, which serves active-duty troops and their dependents, as well as military retirees, says one of its business associates, Science Applications International Corp., reported the breach Sept. 14. The tapes were stolen from the car of an SAIC employee who was responsible for transporting the tapes between federal facilities in San Antonio "pursuant to contract requirements," an SAIC spokesman says.

But according to a San Antonio Police report, the car burglary occurred Sept. 13, between 7:53 a.m. and 4:30 p.m., in the parking lot of a local SAIC facility. The report, filed Sept. 14, says the car was broken into by breaking a vent window.

"There is no indication that the data has been accessed by unauthorized persons," the SAIC spokesman says. SAIC is working with the local police department, Defense Criminal Investigative Services and a private investigator to attempt to recover the tapes, the spokesman adds.

Information on the breached tapes may have included Social Security numbers, names, addresses, phone numbers and some personal health data, such as clinical notes, lab tests and prescriptions, according to a TRICARE statement. The tapes did not contain any financial data.

"Some personal information was encrypted prior to being backed up on the tapes," the SAIC spokesman says. "However, the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with a particular federal standard. The government facility was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."

TRICARE "does not have a policy" on encryption of backup tapes, a TRICARE spokesman says.

Under the HIPAA breach notification rule, breaches of information encrypted in compliance with a federal standard do not have to be reported.

"The risk of harm from loss of the tapes is judged to be low since retrieving the data on the tapes requires knowledge of and access to specific hardware and software, and knowledge of the system and data structure," according to SAIC.

Reviewing Data Protection

Both SAIC and TRICARE are "reviewing current data protection security policies and procedures to prevent similar breaches in the future," according to the TRICARE statement.

TRICARE and SAIC also are working together to identify all beneficiaries whose information may have been involved. "Individual notifications have not begun," a TRICARE spokesman says. "That determination will be made based on the results of the ongoing investigation."

SAIC and TRICARE have not yet determined whether any patients affected by the breach will be offered free credit protection services, the TRICARE spokesman says. "That will be determined based on the results of the ongoing investigation, when a more accurate estimation of the risk to our beneficiares will be possible," he adds.

Those affected by the breach, according to the TRICARE statement, were patients who received care (including the filling of pharmacy prescriptions) from 1992 through Sept. 7, 2011, at San Antonio area military treatment facilities, and others whose laboratory workups were processed in these facilities even though the patients were receiving treatment elsewhere.

A brief statement on the SAIC website acknowledges that the company has set up an "incident response call center," but provides no further details beyond a link to TRICARE's statement.

TRICARE hired SAIC to handle "the storage of some TRICARE health information," the TRICARE spokesman says. "That contract continues."

The TRICARE incident is one of five affecting more than 1 million individuals that have been reported since the HIPAA breach notification rule took effect (see: Healthcare Breaches: A New Top 5).

Reaction to the Incident

Security consultant Kate Borten, president of The Marblehead Group, says: "What's particularly distressing about this news is that TRICARE should be encrypting. The organization should have had reasonable controls in place."

Borten also questions whether the risk of someone accessing the data on the stolen backup tapes is, indeed, low. "The potential gain from almost 5 million records to data mine and sell might be motive enough" for someone to take all the necessary steps to access the data, she says.

Borten notes that more healthcare organizations are dropping the use of tapes and other physical media for backup purposes, shifting to an Internet-based, or cloud computing, backup storage model. "Of course, there are security risks either way," she notes. But by using the Internet, "there are no more tapes to get lost or stolen."

All healthcare organizations that use backup tapes must take adequate steps to protect the tapes, says Adam Greene, a former official at the Department of Health and Human Services' Office for Civil Rights, which enforces the breach notification rule. "In general, it's important for HIPAA covered entities to ensure that backup tapes are included in their risk analysis and risk management plan," says Greene, a partner at the law firm Davis Wright Tremaine LLP. "If encryption is not feasible, covered entities should focus on strong administrative and physical safeguards, such as clear procedures that ensure that backup tapes are locked up at all times."

Greene notes that when business associates maintain backup tapes, healthcare organizations need to thoroughly investigate how the tapes are safeguarded to help avert large potential breaches.


About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network