Members of Congress want answers fromTRICARE Management on SAIC breach

Five members of the House of Representatives have sent a letter to TRICARE Management Authority concerning the recent SAIC breach that affected over 4.9 million members of the military and their dependents. In a series of questions, the legislators ask for details as to TRICARE’s policies and, in particular, any policies or contracts it had for SAIC. Noting that SAIC had experienced at least six prior breaches, they also ask what steps TMA took since these breaches and what steps it will take to prevent future incidents. Actually, this is a killer letter that I encourage you to read in its entirety. Kudos to Reps. Markey, Barton, DeGette, Stearns, and Andrews for asking the right questions – including why TMA continued and continues to deal with SAIC in light of its track record. I can’t wait to see the answers, which they’ve requested be provided by February 22. In a press release today, Deborah Peel, M.D., of Patient Privacy Rights, said: The fact that SAIC has continued to get billions in funds from the federal government despite repeated breaches of sensitive health information shows also that the federal process of awarding, monitoring and auditing, and assuring performance of billion-dollar contracts needs investigation. Providers, healthcare organizations, and technology companies that do not use state-of-the-art data security for health information should not be allowed towork in the healthcare field. If you are unwilling to protect patient data, you don’t belong in healthcare.

Members of Congress want answers fromTRICARE Management on SAIC breach

Five members of the House of Representatives have sent a letter to TRICARE Management Authority concerning the recent SAIC breach that affected over 4.9 million members of the military and their dependents. In a series of questions, the legislators ask for details as to TRICARE’s policies and, in particular, any policies or contracts it had for SAIC. Noting that SAIC had experienced at least six prior breaches, they also ask what steps TMA took since these breaches and what steps it will take to prevent future incidents. Actually, this is a killer letter that I encourage you to read in its entirety. Kudos to Reps. Markey, Barton, DeGette, Stearns, and Andrews for asking the right questions – including why TMA continued and continues to deal with SAIC in light of its track record. I can’t wait to see the answers, which they’ve requested be provided by February 22. In a press release today, Deborah Peel, M.D., of Patient Privacy Rights, said: The fact that SAIC has continued to get billions in funds from the federal government despite repeated breaches of sensitive health information shows also that the federal process of awarding, monitoring and auditing, and assuring performance of billion-dollar contracts needs investigation. Providers, healthcare organizations, and technology companies that do not use state-of-the-art data security for health information should not be allowed towork in the healthcare field. If you are unwilling to protect patient data, you don’t belong in healthcare.

TRICARE discloses SAIC breach: stolen backup tapes held data on 4.9 million (updated)

TRICARE, the health care program serving Uniformed Service members, retirees and their families worldwide, issued the following public statement on their web site: STATEMENT On September 14, 2011, Science Applications International Corporation (SAIC) reported a data breach involving personally identifiable and protected health information (PII/PHI) impacting an estimated 4.9 million military clinic and hospital patients. The information was contained on backup tapes from an electronic health care record used in the military health system (MHS) to capture patient data from 1992 through September 7, 2011, and may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes. The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. The incident is being investigated and additional information will be published as soon as it is available. Meanwhile, both SAIC and TRICARE Management Activity (TMA) are reviewing current data protection security policies and procedures to prevent similar breaches in the future. Anyone who suspects that they were impacted by this incident is urged to take steps to protect their personal information and should be guided by the Federal Trade Commission at: http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html. Concerned patients may contact the SAIC Incident Response Call Center, Monday through Friday from 9 a.m. to 6 p.m. Eastern Time at the following numbers: United States, call toll free: (855) 366-0140 International, call collect: (952) 556-8312 Questions & Answers Q. Whose personal information was at risk of compromise? A. Approximately 4.9 million patients who received care from 1992 through September 7, 2011 in the San Antonio area military treatment facilities (MTFs) (including the filling of pharmacy prescriptions) and others whose laboratory workups were processed in these same MTFs even though the patients were receiving treatment elsewhere. Q. What type of information was lost? A. The PII/PHI data elements involved include, but are not limited to names, Social Security numbers, addresses, diagnoses, treatment information, provider names, provider locations and other patient data, but do not include any financial data, such as credit card or bank account information. Q. Can just anyone access this data? A. No. Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure. Q. Why have almost 2 weeks passed before this notification was posted? A. The exact circumstance surrounding this data loss remain the subject of an ongoing investigation. We did not want to raise undue alarm in our beneficiaries and so wanted to determine the degree of risk this data loss represented before making notifications. Q. What is TRICARE doing to protect affected beneficiaries following the loss of this information? A. TRICARE and SAIC are working together to identify as quickly as possible all beneficiaries whose information may have been involved in the breach and notify as appropriate. Q. What should affected beneficiaries do to protect themselves? A. Beneficiaries can monitor their credit and place a free fraud alert on their credit for a period of 90 days using the Federal Trade Commission (FTC) web site. The FTC site also provides other valuable information regarding actions that can be taken now or in the future, should any problems develop. This information is available at: http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html Q. How can affected beneficiaries get more information? A. Beneficiaries can call the SAIC Incident Response Call Center, Monday through Friday from 9 a.m. to 6 p.m. Eastern Time at the following numbers: United States, call toll free: (855) 366-0140 International, call collect: (952) 556-8312 Notice that they haven’t told us the nature of the breach, but Sig Christenson of MySanAntonio.com reports that a SAIC spokesperson indicated the breach “consisted of the loss of storage media, not an electronic breach. There was a loss of magnetic storage media.” “Loss” as in, “we lost it” or as in “loss due to theft?” It would be nice to have some clarification on that. The fact that it was reported to the police as soon as the loss was discovered leads me to think this may have involved theft, but we’ll find out eventually. [UPDATE:  the tapes were stolen from an unattended car.] SAIC has been involved in previous breaches affecting large numbers of individuals. Some breach-related news on SAIC prior to 2009 can be found on archive.pogowasright.org while a 2010 incident involving stolen backup tapes was reported to the Maryland Attorney General’s Office.

TRICARE discloses SAIC breach: backup tapes held data on 4.9 million

TRICARE, the health care program serving Uniformed Service members, retirees and their families worldwide, issued the following public statement on their web site: STATEMENT On September 14, 2011, Science Applications International Corporation (SAIC) reported a data breach involving personally identifiable and protected health information (PII/PHI) impacting an estimated 4.9 million military clinic and hospital patients. The information was contained on backup tapes from an electronic health care record used in the military health system (MHS) to capture patient data from 1992 through September 7, 2011, and may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes. The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure. The incident is being investigated and additional information will be published as soon as it is available. Meanwhile, both SAIC and TRICARE Management Activity (TMA) are reviewing current data protection security policies and procedures to prevent similar breaches in the future. Anyone who suspects that they were impacted by this incident is urged to take steps to protect their personal information and should be guided by the Federal Trade Commission at: http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html. Concerned patients may contact the SAIC Incident Response Call Center, Monday through Friday from 9 a.m. to 6 p.m. Eastern Time at the following numbers: United States, call toll free: (855) 366-0140 International, call collect: (952) 556-8312 Questions & Answers Q. Whose personal information was at risk of compromise? A. Approximately 4.9 million patients who received care from 1992 through September 7, 2011 in the San Antonio area military treatment facilities (MTFs) (including the filling of pharmacy prescriptions) and others whose laboratory workups were processed in these same MTFs even though the patients were receiving treatment elsewhere. Q. What type of information was lost? A. The PII/PHI data elements involved include, but are not limited to names, Social Security numbers, addresses, diagnoses, treatment information, provider names, provider locations and other patient data, but do not include any financial data, such as credit card or bank account information. Q. Can just anyone access this data? A. No. Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure. Q. Why have almost 2 weeks passed before this notification was posted? A. The exact circumstance surrounding this data loss remain the subject of an ongoing investigation. We did not want to raise undue alarm in our beneficiaries and so wanted to determine the degree of risk this data loss represented before making notifications. Q. What is TRICARE doing to protect affected beneficiaries following the loss of this information? A. TRICARE and SAIC are working together to identify as quickly as possible all beneficiaries whose information may have been involved in the breach and notify as appropriate. Q. What should affected beneficiaries do to protect themselves? A. Beneficiaries can monitor their credit and place a free fraud alert on their credit for a period of 90 days using the Federal Trade Commission (FTC) web site. The FTC site also provides other valuable information regarding actions that can be taken now or in the future, should any problems develop. This information is available at: http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html Q. How can affected beneficiaries get more information? A. Beneficiaries can call the SAIC Incident Response Call Center, Monday through Friday from 9 a.m. to 6 p.m. Eastern Time at the following numbers: United States, call toll free: (855) 366-0140 International, call collect: (952) 556-8312 Notice that they haven’t told us the nature of the breach, but Sig Christenson of MySanAntonio.com reports that a SAIC spokesperson indicated the breach “consisted of the loss of storage media, not an electronic breach. There was a loss of magnetic storage media.” “Loss” as in, “we lost it” or as in “loss due to theft?” It would be nice to have some clarification on that. The fact that it was reported to the police as soon as the loss was discovered leads me to think this may have involved theft, but we’ll find out eventually. SAIC has been involved in previous breaches affecting large numbers of individuals. Some breach-related news on SAIC prior to 2009 can be found on archive.pogowasright.org while a 2010 incident involving stolen backup tapes was reported to the Maryland Attorney General’s Office.

Malware blamed in latest SAIC breach

Science Applications International Corporation (“SAIC”), recipient of a number of large government contracts, notified the New Hampshire Attorney General on December 9th of a security breach involving malware. The specific malware was not named, but was described as “designed to provide backdoor access.” The breach was detected on October 28th. In its letter to an unspecified number of affected individuals, SAIC wrote: This letter is to notify you of a potential compromise of your personal information, including your name and social security number, date of birth, home address, home phone number and clearance level and possibly other personal information necessary to complete government security clearance questionnaires (e.g., SF-8SP or SF-86). We collected this information from you to provide it to the U.S. Government either to enable you to visit a government facility or to assist you in obtaining or updating your government clearance.

Passaic Housing Authority battles employee over data breach, rules on rent hikes

Nicholas Katzban reports: An internal investigation by the Passaic Housing Authority has named employee Linda Colon as the suspected source of last month’s data breach, which the authority said compromised the personal information of 50 to 60 public housing residents. But Colon has not been charged with any crime, and says the documents involved in the alleged leak are evidence in her lawsuit against the Housing Authority. She claims the authority failed to notify residents of rent increases in a timely manner, violating internal regulations and rules of the Department of Housing and Urban Development. Read more on NorthJersey.com.

OR: Mosaic Medical notifies patients of breach

Mosaic Medical is notifying patients of a breach after an office burglary, even though they have no evidence anything was actually stolen. Here is their statement, as posted by KTVZ: On the morning of Thursday, January 15, 2015 we discovered that an overnight break-in had occurred at the Health Information Technology (HIT) department.  At the time the department was located in a temporary administrative office in Bend. There was nothing stolen from the office, and there was no breach of our electronic medical records system.  There is no evidence that anything in the office was disturbed. However, we cannot say with certainty that no medical records were accessed.  The personal information that was possibly accessed was on paper documents within the office and included health information, medical insurance information, phone number, and e-mail addresses.  A report was filed with the Bend Police Department and they have investigated the break-in. Mosaic Medical has notified all affected patients via first class mail and has encouraged those patients to monitor their credit report periodically. As a result of the possible breach, Mosaic Medical has taken steps to further improve the security of its operations and eliminate future risk, including moving our HIT department to a more secure office space. Mosaic Medical has trained staff available for patients to call with any questions related to this possible breach.  Patients may call 1-844-625-6997 between 8:00 AM and 5:00 PM or send an e-mail to [email protected] “We understand the importance of safeguarding our patients’ personal information and take that responsibility very seriously,” said Mosaic Medical Chief Operating Officer, Allison McCormick.  She continues, “We will do all we can to work with our patients whose personal information may have been compromised.  We regret that this incident occurred, and we are committed to preventing future occurrences”. According to their notification to HHS, 2,207 patients were notified.

Court dismisses most of lawsuit over 2011 TRICARE/SAIC data breach

Andrew Scurria reports the latest on a lawsuit stemming from one of the biggest breaches ever involving PHI – the theft of backup tapes from SAIC from an employee’s unattended vehicle in 2011. A D.C. federal judge on Friday gutted a wide-ranging multidistrict case seeking damages from the U.S. Department of Defense and security contractor Science Applications International Corp. for a data breach that affected 4.9 million military health care beneficiaries, finding scant evidence of harm from the loss of their medical files. Read more on Law360.com (subscription required). Don’t have a subscription to Law360? Neither do I, so I downloaded the memorandum opinion from PACER and have uploaded it here. From a quick skim, it looks like Clapper has reared its ugly head again, i.e., an increased risk of future harm is not sufficient to confer standing if there’s no demonstration of more immediately impending harm.  To the contrary, the court notes that based on average statistics, one might expect a certain number of fraud reports related to the breach, but that after 34 months post-incident, that has not been the case: After all, as previously noted, roughly 3.3% of Americans will experience identity theft of some form, regardless of the source. See Finklea, Identity Theft: Trends and Issues, supra, at 1. So one would expect 3.3% of TRICARE’s customers to experience some type of identity theft, even if the tapes were never read or misused. To quantify that percentage, of the 4.7 million customers whose data was on the tapes, one would expect around 155,100 of them to experience identity fraud simply by  virtue of living in America and engaging in commerce, even if the tapes had not been lost. Here, only six Plaintiffs allege some form of identity theft, and out of those six only Curtis offers any plausible link to the tapes. And Yarde is the only other Plaintiff – out of a population of 4.7 million – who has offered any evidence that someone may have accessed her medical or personal information. Given those numbers, it would be entirely implausible to assume that a massive identity-theft scheme is currently in progress or is certainly impending. Indeed, given that thirty-four months have elapsed, either the malefactors are extraordinarily patient or no mining of the tapes has occurred. This is simply not a case where hundreds or thousands of instances of fraud have been linked to the data breach. See, e.g., Anderson, 659 F.3d at 162-67. Rather, as far as the Court is aware, only six instances of fraud have been reported, and only two customers can plausibly link either identity theft or privacy violations to the tapes’ loss. As such, only those two Plaintiffs whose harm is plausibly linked to the breach may move forward with their claims. There’s much more to the memorandum opinion, of course, but it will have to wait until I get more coffee.  For now, the most important point, I think, is that a government contractor whose employee left backup tapes with PHI on almost 5 million TRICARE members in an unattended car will likely escape the pain of any large civil judgement in the courts. I wonder what, if anything, OCR is doing about this matter. A check of their public breach tool shows no summary for this breach, which they’ve told me in the past means that any investigation or case is still open. For my money, this would be a good one for them to come down on with a stiff monetary penalty. Additional coverage on this blog of SAIC breaches is linked from here.

Update to the SAIC/TRICARE breach

From TRICARE: Letters are being mailed from Science Applications International Corporation (SAIC) to affected military clinic and hospital patients regarding a data breach involving personally identifiable and protected health information (PII/PHI). On Sept. 14, 2011, SAIC reported the loss of backup tapes containing electronic health care records used in the military health system (MHS) to capture patient data from 1992 through Sept. 7, 2011in San Antonio area military treatment facilities (MTFs), including filling pharmacy prescriptions and other patients whose laboratory workups were processed in these same MTFs, even if the patients were receiving treatment elsewhere. The data may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes. The risk of harm to patients is judged to be low since retrieving the data on the tapes would require knowledge of, and access to, specific hardware and software and knowledge of the system and data structure. As a precaution, the Assistant Secretary of Defense (Health Affairs) determined that SAIC should notify potentially impacted persons or households of this incident by letter. As directed by TRICARE Management Activity (TMA), SAIC will provide credit monitoring and credit restoration services for one year for patients requesting them. The credit restoration services being provided exceeds current industry standards for responding to a data breach. Read more on TRICARE. Thanks to @jslarve for pointing out this update to me.

(update) On second thought…. SAIC offers free credit monitoring after breach

TRICARE, the military health program, has directed its business associate, Science Applications International Corp., to offer one year’s worth of free credit monitoring and restoration services to the 4.9 million beneficiaries affected by a recent breach. Earlier, TRICARE had announced that it would not offer credit monitoring services, citing the minimal risk involved in the breach, which involved backup tapes stolen from an SAIC employee’s car. Read more on GovInfoSecurity.com