TRICARE Management Activity, the health care program for military personnel worldwide, reported last week a massive data breach involving the personal and medical records of 4.9 million active and retired military personnel and their families. The backup computer tapes, stolen from a contractor's automobile, included records from a military health system that captured patient data from 1992 to September 7, 2011. The lost/stolen information included:
"... Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information..."
In its press release, TRICARE stated that it will take about four to six weeks to notify directly all breach victims. A breach investigation is underway. The contractor company is Science Applications International Corporation (SAIC). SAIC is operating an Incident Response Call Center, which breach victims can call. Breach victims should monitor their credit reports, and report any fraud to the U.S. Federal Trade Commission and to local law enforcement.
While TRICARE estimated the risk to breach victims as low, and stated in its press release that special computer hardware and software are required to access the data on the backup tapes. Based on this estimate, TRICARE is not offering breach victims complimentary credit monitoring or credit resolution services. In my opinion, that is unacceptable and not the way to support the troops. It places the burden on troops who are busy defending the country, often at risk of life. It is a time consuming and burdensome process to fix medical records that co-mingle both the victim's and the fraudster's health history. TRICARE and SAIC are responsible for maintaining adequate data security, and should do the right thing: provide free credit monitoring and credit resolution for two to five years to breach victims.
If there is one thing I have learned while writing this blog is that identity thieves and fraudsters are persistent, and often have access to the same computing resources that everyone else has. Simply, it may take time for the criminals to access the stolen data, and the criminals have the time. The value of the stolen data is unquestionable, and is sufficient for identity thieves to obtain medical care fraudulently, assume others' identities, and/or reuse the Social Security numbers for other identity fraud acts or fraudulent employment.
SAIC describes itself as:
"... a FORTUNE 500® scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding."
Refusing to help breach victims by avoiding to pay for credit monitoring and resolution services does not demonstrate any type of "commitment to ethical performance" or problem solving. Rather, it is hoping the problem will simply go away, and leaves the breach victims with the monitoring and cleanup burden. To use an American football analogy, TRICARE and SAIC have simply punted the football.
Interested military personnel and families should read the TRICARE press release with accompanying questions and answers (PDF).
If you agree and believe that both TRICARE and SAIC should do more, share your opinions below and at: