Tricare reports data breach affecting 4.9 million patients

The records of about 4.9 million Military Health System patients have been breached by a contractor for the military's Tricare Management Activity insurance carrier, according to a Tricare statement (PDF).

The breach by Science Applications International Corp., McLean, Va., was reported to Tricare on Sept. 14 and involved backup tapes of a military electronic health-record system that was in use from 1992 through Sept. 7, 2011, according to the statement.

The breached records, affecting patients who received care at San Antonio-area military treatment facilities "may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions," Tricare noted. The data includes prescriptions and results of laboratory work performed in the San Antonio area even if the patient did not receive treatment there, according to the statement. No financial information, such as credit-card or bank-account numbers, was contained in the records.

If the current estimate of the number of affected individuals holds, the Tricare breach would top the list as the largest of the 330 most serious security breaches reported to the Office for Civil Rights at HHS since September 2009.

"I know that an employee at SAIC reported the tapes (as) stolen," said Austin Camacho, chief of public affairs at Tricare.

SAIC spokesman Vernon Guidry confirmed the tapes were taken from an employee's car while being physically transferred to an off-site storage facility in the San Antonio area as part of a routine backup operation. Guidry said the theft was being investigated by San Antonio police and U.S. Defense Department investigators.

According to the San Antonio Police Department report, the tapes were burglarized about 8 a.m. The incident was not reported to police until nearly 4 p.m. the following day.

Guidry said some of the personal information was encrypted, but he declined to estimate how much had been encryption-protected.

Tricare described the risk of harm to individuals as low, stating that "retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure."

SAIC has set up a toll-free call-center number for concerned individuals in the U.S.: (855) 366-0140. Those dialing from abroad can place a collect call to (952) 556-8312. Information about avoiding identity theft is available at the Federal Trade Commission's website.

SAIC, one of the nation's largest defense information technology and national security contractors, also has a long history with military health IT. In 1988, SAIC was awarded a $1.01 billion, eight-year contract to modify a clinical IT system developed by the U.S. Veterans Affairs Department for Defense Department use. The resulting EHR, called the Consolidated Health Care System, was fully installed by about 1994 and remains in use at military hospitals. SAIC recently won an IT support services contract with Tricare lasting up to four years and valued at up to $53 million.