Congress critical of TRICARE’s response; requests detailed answers while criticizing TRICARE and SAIC
Cross-posted from phiprivacy.net:
At least some members of Congress are not happy with the response to a letter they sent TRICARE following the theft of backup tapes from the unattended vehicle of an employee of their contractor, SAIC. The tapes contained information on approximately 5 million military beneficiaries and their dependents.
Although TRICARE’s response was not disclosed publicly, Rep. Ed Markey and colleagues from the bipartisan privacy caucus quoted portions of the response in a follow-up letter they sent to TRICARE on May 7.
Citing SAIC’s “history of serious security failures,” the members note that “it is disturbing that TRICARE engaged this contractor for such sensitive work.” They also note that it was not clear from TRICARE’s response whether TRICARE actually spot-checked SAIC or verified that it was implementing its Business Associate Agreement.
The members also criticized TRICARE for failure to deploy encryption even after this latest breach and for continuing to use unsafe methods of physically transmitting data instead of switching to secure virtual private networks. Although VPN is reportedly under consideration by TRICARE, no decision has as yet been made.
The congressmen called on TRICARE to provide more details about their security measures and to deploy encryption and better security measures to protect data. They also point out that at least some people have been paying for medical identity protection out of pocket because TRICARE and SAIC refused to provide such coverage.
Related: 5-7-12 Response to TRICARE (pdf)