TRICARE Breach Notification in Works

4.9 Million to Get Notice in the Mail
TRICARE Breach Notification in Works
All 4.9 million TRICARE military health plan beneficiaries that were affected by a recent data breach will be notified by mail, but they won't be offered free credit monitoring services. The breach is the largest reported since the HIPAA breach notification rule, mandated under the HITECH Act, took effect in September 2009.

The Defense Department's TRICARE healthcare program, which serves active-duty troops and their dependents, as well as military retirees, said one of its business associates, Science Applications International Corp., reported the breach Sept. 14. Backup tapes were stolen Sept. 13 from the car of an SAIC employee that was parked outside an SAIC facility in San Antonio.

Information on the breached tapes about patients treated in San Antonio-area military facilities may have included Social Security numbers, names, addresses, phone numbers and some personal health data, such as clinical notes, lab tests and prescriptions, TRICARE reported. The tapes did not contain any financial data.

An SAIC spokesman acknowledged Oct. 5 that the company would pay all of the costs involved in the breach notification effort.

In comments added this week to a website statement about the breach, TRICARE said that all 4.9 million beneficiaries affected will be notified by mail over the next four to six weeks. But no one affected, even those whose Social Security numbers were on the tapes, will be offered free credit monitoring or credit restoration services, according to the statement.

"Reading the tapes takes special machinery," the statement noted. "Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low. Nevertheless, the tapes are missing, and, given the totality of the circumstances, we determined that individual notification was required in accordance with Department of Defense guidance."

The statement also noted TRICARE "has no conclusive evidence that indicates beneficiaries are at risk of identity theft." But it encourages those affected by the breach to monitor their credit and place a free fraud alert on the Federal Trade Commission website.

Security Review

SAIC and TRICARE are "reviewing current data protection security policies and procedures to prevent similar breaches in the future," the statement noted.

An SAIC spokesman said last week: "Some personal information was encrypted prior to being backed up on the tapes. However, the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with a particular federal standard. The government facility was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."

According to a San Antonio Police report, the car burglary occurred Sept. 13, between 7:53 a.m. and 4:30 p.m., in the parking lot of a local SAIC facility. The report, filed Sept. 14, said the car was broken into by breaking a vent window. Also taken in the break-in, according to the report, were a radio/CD player and a GPS unit.

The SAIC employee was responsible for transporting the tapes between federal facilities in San Antonio, an SAIC spokesman said last week. A TRICARE spokesman said the military health program hired SAIC to handle "the storage of some TRICARE health information. That contract continues."

SAIC is working with the local police department, Defense Criminal Investigative Services and a private investigator to attempt to recover the tapes, the SAIC spokesman said. "There is no indication that the data has been accessed by unauthorized persons," he added.

What's the Risk?

Security consultant Kate Borten questioned last week whether the risk of someone accessing the data on the stolen backup tapes is, indeed, low. "The potential gain from almost 5 million records to data mine and sell might be motive enough" for someone to take all the necessary steps to access the data, she said.

Another security consultant, Rebecca Herold, said encryption is the best way to help ensure data on backup tapes cannot be accessed. "I still hear far too many people say, 'Bah, that's not necessary. Who's going to have any type of equipment to actually read the tapes?' Well, guess what, you can check eBay, Craig's List and other online shops and find such equipment," Herold said. "Plus, there are services out there that will convert the data on such tapes to other types of digital storage for basically anyone who asks."

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network