The SAIC TRICARE breach

Although there are so many data breaches that expose 1 million records that such breaches really aren't big news any more, a breach that exposes almost 5 million records still makes the news, and that's roughly how big the recent breach at the TRICARE (US military health care) facility in San Antonio, Texas, run by SAIC was.

From the official announcement (PDF) of the breach:

On September 14, 2011, Science Applications International Corporation (SAIC) reported a data breach involving personally identifiable and protected health information (PII/PHI) impacting an estimated 4.9 million military clinic and hospital patients. The information was contained on backup tapes from an electronic health care record used in the military health system (MHS) to capture patient data from 1992 through September 7, 2011, and may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes.

The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. Considering the totality of the circumstances, we determined that potentially impacted persons or households will be notified of this incident via letter. We regret that the information required to initiate notification is not available at this time, but we will ensure that it is done in an accurate and timely manner and in compliance with all applicable DoD guidelines. Due to the large volume of individuals potentially impacted by this incident, we anticipate that individual notification will take at least 4-6 weeks; therefore, this notice is being posted in the interim. The incident continues to be investigated and additional information will be published as soon as it is available. Meanwhile, both SAIC and TRICARE Management Activity (TMA) are reviewing current data protection security policies and procedures to prevent similar breaches in the future.

It's not clear from the official announcement, but other reports have stated that the cause of this particular breach was a burglary of a car that contained a tape that was being carried from one government facility to another one. And it's not clear why the car containing the stolen tape was left unattended.

Data breaches of health care information may be some of the worst because it's impossible to undo the damage that the loss of privacy that they can cause. If your credit card number is comprimised it's easy enough to cancel the old card and get a new one issued. It's even possible to do that with Social Security numbers, even though the government doesn't like to do it. But it's essentially impossible to handle the exposure of sensitive health records in any way.

Leave a Reply

Your email address will not be published. Required fields are marked *