Risk to Patients from Data Breach Met with Proactive Response

2011-11-05

A loss of computer tapes by Science Applications International Corporation (SAIC) may have placed TRICARE patient data at risk. There is no evidence that any of the data has actually been accessed by a third party, and analysis shows the chance any data was actually compromised is low, but proactive measures are being taken to ensure that potentially affected patients are kept informed and protected.

SAIC is a contractor for the TRICARE Management Activity. On September 14, TMA learned that an SAIC employee reported that on September 12 computer tapes containing personally identifiable and protected health information (PII/PHI) of 4.9 million military clinic and hospital patients in Texas, or those patients who had laboratory exams sent to the military hospitals in Texas, were stolen. The data contained on the tapes may include names, Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes.

“We take this incident very seriously,” said Brigadier General W. Bryan Gamble, TMA deputy director. “The risk to our patients is low, but the Department of Defense is taking steps to keep affected patients informed and protected.”

TMA has directed SAIC to provide one year of credit monitoring and restoration services to patients who express concern about their credit. SAIC will also conduct analysis of all available data to help TMA determine if identity theft occurs due to the data breach.

“These measures exceed the industry standard to protect against the risk of identity theft,” Gamble said. “We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will be unaffected by this breach.”

The risk of harm is judged to be low despite the sensitive data involved. Retrieving data from the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure.

source: TRICARE