Most people would agree that personal information, particularly health information, especially that pertaining to the brave men and women who serve in our armed forces, should be treated with care and protected from prying eyes at all times. But what should happen if this information is compromised? Surely we should do whatever we can to make sure no harm results. But consider what is happening right now with Tricare, the managed care arm of the U.S. government's Military Health System. As reported yesterday by Neil Versel in InformationWeek, Tricare appears to be under-playing the seriousness of someone stealing backup tapes containing medical records pertaining to 4.9 million people treated at military hospitals, clinics, and pharmacies.
Apparently, Tricare has so far declined to provide the victims of this security breach, many of them present or former members of the military, with any private credit monitoring services. A Tricare notice stated: "The risk of harm to patients is judged to be low despite the data elements involved." (One really has to wonder who the judge was because it's hard to see how an experienced information security professional could come to that conclusion.)
Instead of paying for a year of credit monitoring for people whose records were exposed, as we have seen in other healthcare data breaches, Tricare is currently directing victims to an FTC site where they can place a free, 90-day fraud alert on their personal credit ratings. I say “currently” because sometimes it can take a while for an organization to realize what the right response to a security breach of this magnitude should be; in other words, there is still time for Tricare to change its mind and do the right thing for the people put at risk by this incident.
Not that this is a new problem for Tricare. Back in 2002 there was a theft of military healthcare data from TriWest Healthcare Alliance (TriWest) which operates the Tricare provider network in many western states. Here are some details from a report in the Arizona Republic on January 30, 2003:
“TriWest Healthcare Alliance has been hit with a class-action lawsuit for negligence by customers whose identity information was stolen last month in a heist of computer data from the Phoenix-based defense contractor….They seek unspecified monetary damages for alleged negligence, breach of contract and violations of the federal Privacy Act….The company's offices were invaded Dec. 14 by thieves who made off with laptop computers containing files on 562,000 military personnel, retirees and family members who have health care through the company. The data included Social Security numbers, birth dates, duty stations, medical records and other information….on active military personnel who could be called to fight in a war against Iraq. Some members of the armed forces have fretted that enemies or terrorists might obtain information and use it against American troops or their families.”
I happen to know about the 2002 Triwest incident because I was tapped as an expert witness by the law firm that represented the service members. Triwest fought that case and, to the best of my knowledge, did not pay any compensation or provide any credit monitoring. However, if you know different, or have any experience with this or any other military health care data breaches, please feel free to comment and let us know.
Author Stephen Cobb, ESET