Tricare's slow response to massive data loss could raise the risk
The theft last month of backup computer tapes containing the medical records of nearly 5 million military personnel was not reported to the public for more than two weeks, and active and retired personnel will have to wait another four to six weeks before finding out if their records are at risk.
The Tricare Management Activity, which runs the Defense Department health care program for millions of active-duty, reserve and retired military members, their dependents and survivors, said it waited because “we did not want to raise undue alarm in our beneficiaries.”
Not to worry (unduly), however. Tricare said in its Sept. 30 public statement (PDF) that, “since we don’t not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low.”
How to prevent data breaches -- and respond after they occur anyway
Not taken with malicious intent? Must have been the work of a modern-day Robin Hood, stealing from the data-rich and giving to the data-poor.
In its own defense, Tricare says that the data on the stolen tapes is not easy to read. Not, apparently, because it was encrypted, but because it is written in government-ese that is so complex no sane person can get through it. Really good government-ese ranks right up there with AES 256 encryption as a way to protect data.
The theft is believed to have occurred Sept. 13, when the tapes were taken from the care of an employee of Tricare contractor Science Applications International Corp., along with a stereo and a Global Positioning System device. It was reported to Tricare the next day, and Tricare posted its notice Sept. 30.
Tapes contained data on about 4.9 million patients who received care or had laboratory work processed in the San Antonio-area military treatment facilities from 1992 through Sept. 7 of this year. Data on the tapes includes names, Social Security numbers, addresses, diagnoses, treatment information, provider names and locations, and other patient data, but not financial data.
So far this year, the Privacy Rights Clearinghouse has listed 429 breaches of personal information, the largest by far being the Sony PlayStation breach of more than 100 million records. The Tricare breach is the largest government breach this year, although because the data was stolen from an SAIC employee it is not listed among the nearly 4 million government records breached in 2011.
I can understand Tricare’s thinking in deciding the risk of exposure of data probably was small. If the thief also took a stereo and GPS device, it looks like a crime of opportunity and not someone targeting this data. And reading it apparently is not as simple as putting a USB drive in your PC and opening a file.
“Retrieving the data on the tapes requires knowledge of and access to specific hardware and software and knowledge of the system and data structure,” Tricare said in the statement.
Still, assuming the theft of the data was done without malicious intent and that the likelihood of someone accessing and exploiting it is low is awfully risky. Although Tricare doesn’t say it, it apparently kept quiet about the data because officials didn’t want to tip off a low-grade thief about the value of his swag while the cops were looking for him.
But to leave this data unencrypted in the first place and then to sit on the information for two weeks has put sensitive information about millions of persons at even greater risk.
William Jackson is a senior writer of GCN and the author of the CyberEye blog.