TRICARE Breach Potentially Puts 4.9 Million Individuals at Risk
A massive data breach that could potentially affect 4.9 million individuals who received services from TRICARE, a provider of health care services to active and retired military personnel, was disclosed this week.
According to a statement from TRICARE, on September 14, 2011, Science Applications International Corporation, a third party technology contractor, reported the data breach that occurred as a result of lost backup tapes. The tapes were apparently lost during a transfer between Federal facilities and San Antonio, Texas.
A representative from SAIC’s Incident Response Call Center told SecurityWeek that the data on the tapes was encrypted, but I’m not convinced that is the case. In a public statement announcing the breach, the company said, “The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.” This statement is far from convincing that the risk level is low, and knowledge of specific hardware and software typically doesn’t matter much when it comes to encryption. If the data had been encrypted, one would think they would explicitly say so in the statement. Also, it’s typically not required to disclose an incident like this if the media had been properly encrypted.
Either way, this incident will cost TRICARE big money.
The information contained on the lost backup tapes included data from patients who received care in San Antonio area military treatment facilities from 1992 through September 7, 2011, and may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions.
According to TRICARE, no financial data, such as credit card or bank account information was stored the backup tapes.
According to Howard Anderson at HealthCareInfoSecurity.Com, this could be the largest health information breach reported since the HIPAA breach notification rule which took effect in September of 2009.