TRICARE HEALTH RECORD SECURITY BREACH

WERE YOUR FILES HACKED? CLICK FOR THE PDF

Gee, didn’t see this one coming did we?  (Sorry, it’s a rhetorical question..)  This is just a small sample of what will happen to everyone, eventually.  As much as I would like to single out the government and blame them for this breach, in reality I can’t.  As long as medical service providers, insurance companies and any other entity dealing with confidential patient information is hooked into the web, this is going to be an ongoing threat for everyone.  I do find it interesting that in this case it is Tricare because it really doesn’t surprise me that it would get hit.  After all, how much confidence do you have in an insurance provider that has a congressional liaison office?  It is because of the inherent problems with Tricare and its lack of quality service that some people get.  I know many people who have nightmare stories about their experiences with it.  Here is the information;

STATEMENT

On September 14, 2011, Science Applications International Corporation (SAIC) reported a data breach involving personally identifiable and protected health information (PII/PHI) impacting an estimated 4.9 million military clinic and hospital patients. The information was contained on backup tapes from an electronic health care record used in the military health system (MHS) to capture patient data from 1992 through September 7, 2011, and may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes.

The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. Considering the totality of the circumstances, we determined that potentially impacted persons or households will be notified of this incident via letter. We regret that the information required to initiate notification is not available at this time, but we will ensure that it is done in an accurate and timely manner and in compliance with all applicable DoD guidelines. Due to the large volume of individuals potentially impacted by this incident, we anticipate that individual notification will take at least 4-6 weeks; therefore, this notice is being posted in the interim. The incident continues to be investigated and additional information will be published as soon as it is available. Meanwhile, both SAIC and TRICARE Management Activity (TMA) are reviewing current data protection security policies and procedures to prevent similar breaches in the future.

Anyone who suspects that they were impacted by this incident is urged to take steps to protect their personal information and should be guided by the Federal Trade Commission at: http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html.

Concerned patients may contact the SAIC Incident Response Call Center, Monday through Friday from 9 a.m. to 6 p.m. Eastern Time at the following numbers:

United States, call toll free: (855) 366-0140

 

International, call collect: (952) 556-8312

 

Questions & Answers

Q. Whose personal information was at risk of compromise?

A. Approximately 4.9 million patients who received care from 1992 through September 7, 2011 in the San Antonio area military treatment facilities (MTFs) (including the filling of pharmacy prescriptions) and others whose laboratory workups were processed in these same MTFs even though the patients were receiving treatment elsewhere.

Q. What type of information was lost?

A. The PII/PHI data elements involved include, but are not limited to names, Social Security numbers, addresses, diagnoses, treatment information, provider names, provider locations and other patient data, but do not include any financial data, such as credit card or bank account information.

Q. Can just anyone access this data?

A. No. Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure.

Q. Why have more than two weeks passed before this notification was posted?

A. The exact circumstance surrounding this data loss remains the subject of an ongoing investigation. We did not want to raise undue alarm in our beneficiaries and so wanted to determine the degree of risk this data loss represented before making notifications.

Q. Will you be notifying beneficiaries?

A. After careful deliberation, we have decided that we will notify all affected beneficiaries. We did not come to this decision lightly. We used a standard matrix to determine the level of risk that is associated with the loss of these tapes. Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low. Nevertheless, the tapes are missing and given the totality of the circumstances, we determined that individual notification was required in accordance with DoD guidance.

TRICARE and SAIC are working together to identify as quickly as possible all beneficiaries whose information may have been involved in the breach. Because of the databases involved, we expect to be able to send individual notifications within the next 6 weeks. In the interim, we are posting this general announcement so that our beneficiaries were aware of the situation.

Q. What should affected beneficiaries do to protect themselves?

A. Beneficiaries can monitor their credit and place a free fraud alert on their credit for a period of 90 days using the Federal Trade Commission (FTC) web site. The FTC site also provides other valuable information regarding actions that can be taken now or in the future, should any problems develop. This information is available at: http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html

Q. Will credit monitoring and restoration services be provided to protect affected individuals against possible identity theft? If no, why not?

A. No. The risk of harm to patients is judged to be low despite the data elements involved. Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. To date, we have no conclusive evidence that indicates beneficiaries are at risk of identity theft, but all are encouraged to monitor their credit and place a free fraud alert on their credit for a period of 90 days using the Federal Trade Commission (FTC) web site.

Q. How can affected beneficiaries get more information?

A. Beneficiaries can call the SAIC Incident Response Call Center, Monday through Friday from 9 a.m. to 6 p.m. Eastern Time at the following numbers:

United States, call toll free: (855) 366-0140

 

International, call collect: (952) 556-8312

 

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: