CYBEREYE

Tricare's slow response to massive data loss could raise the risk

The theft last month of backup computer tapes containing the medical records of nearly 5 million military personnel was not reported to the public for more than two weeks, and active and retired personnel will have to wait another four to six weeks before finding out if their records are at risk.

The Tricare Management Activity, which runs the Defense Department health care program for millions of active-duty, reserve and retired military members, their dependents and survivors, said it waited because “we did not want to raise undue alarm in our beneficiaries.”

Not to worry (unduly), however. Tricare said in its Sept. 30 public statement (PDF) that, “since we don’t not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low.”


Related story:

How to prevent data breaches -- and respond after they occur anyway


Not taken with malicious intent? Must have been the work of a modern-day Robin Hood, stealing from the data-rich and giving to the data-poor.

In its own defense, Tricare says that the data on the stolen tapes is not easy to read. Not, apparently, because it was encrypted, but because it is written in government-ese that is so complex no sane person can get through it. Really good government-ese ranks right up there with AES 256 encryption as a way to protect data.

The theft is believed to have occurred Sept. 13, when the tapes were taken from the care of an employee of Tricare contractor Science Applications International Corp., along with a stereo and a Global Positioning System device. It was reported to Tricare the next day, and Tricare posted its notice Sept. 30.

Tapes contained data on about 4.9 million patients who received care or had laboratory work processed in the San Antonio-area military treatment facilities from 1992 through Sept. 7 of this year. Data on the tapes includes names, Social Security numbers, addresses, diagnoses, treatment information, provider names and locations, and other patient data, but not financial data.

So far this year, the Privacy Rights Clearinghouse has listed 429 breaches of personal information, the largest by far being the Sony PlayStation breach of more than 100 million records. The Tricare breach is the largest government breach this year, although because the data was stolen from an SAIC employee it is not listed among the nearly 4 million government records breached in 2011.

I can understand Tricare’s thinking in deciding the risk of exposure of data probably was small. If the thief also took a stereo and GPS device, it looks like a crime of opportunity and not someone targeting this data. And reading it apparently is not as simple as putting a USB drive in your PC and opening a file.

“Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure,” Tricare said in the statement.

Still, assuming the theft of the data was done without malicious intent and that the likelihood of someone accessing and exploiting it is low is awfully risky. Although Tricare doesn’t say it, it apparently kept quiet about the data because officials didn’t want to tip off a low-grade thief about the value of his swag while the cops were looking for him.

But to leave this data unencrypted in the first place and then to sit on the information for two weeks has put sensitive information about millions of persons at even greater risk.



About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Mon, Oct 17, 2011

Still waiting for TRICARE to notify me! Thanks for the heads up in this article... Glad I have my credit frozen already...

Mon, Oct 17, 2011

Sounds like the SAI employee had the tapes laying in plain view in his/her POV. A crime of opportunity - most likely, but non the less it shows a disregard for procedures and accountability. If the tapes were in fact in a POV, why were they not placed in the trunk or locked out of sight? Was lunch, an errand, or side trip that important.

Mon, Oct 17, 2011 amused

"the tapes were taken from the care of an employee of Tricare contractor Science Applications International Corp., along with a stereo and a Global Positioning System device. SAIC knows better, what about their policies on transport, access, safeguarding, etc., that they probably have in place. We will have a hard time protecting our Personal Information (PI) if we can't rely on the people we hire, and have no oversight on. Hmmm, who is really at fault here. signed, a Fed

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above