Gaffney, the spouse of “a decorated war veteran,” has received insurance through Tricare since 1992, according to the 19-page complaint. Taylor is an Air Force veteran and the spouse of a member of the armed services who served in Operation Desert Storm, the complaint said.
The plaintiffs allege their “most sensitive personal and medical information” was compromised, causing them economic loss because of the need to purchase identity theft protection. The plaintiffs also allege they've “suffered emotional upset” as a result of the invasion of their privacy.
The breach was reported to Tricare on Sept. 14 by Science Applications International Corp., McLean, Va., which was under contract with the military's insurance carrier to provide off-site data storage and backup data security.
Backup tapes storing records of 4.9 million people from a military electronic health record system in use from 1992 through Sept. 7, 2011 were reportedly taken from the car of an SAIC employee.
The car, a 2003 Honda Civic, was reportedly burglarized on Sept. 13 sometime between just before 8 a.m. and 4:30 p.m. while the car was parked in the lot of a downtown San Antonio bank and high-rise office building. The incident was not reported to San Antonio police until nearly 4 p.m. the following day, according to the police report.
The breached records, affecting patients who received care at San Antonio-area military treatment facilities, “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions,” according to Tricare. The data also included prescriptions and test results of work performed in San Antonio area labs, even if the patients did not receive treatment by providers in the San Antonio area.
The suit alleges Tricare “flagrantly disregarded plaintiffs' privacy rights by intentionally, willfully and reckless failing to take the necessary precautions” to protect their records. Tricare “compounded its dereliction of duty” by allowing the SAIC employee to take the information off of government property “and to leave the unencrypted information in an unguarded car parked in a public location.”
“Upon information and belief, the SAIC employee from whose car plaintiffs' personal information was stolen did not receive a security background check nor did he receive the requisite training mandated by federal law,” the complaint alleges. The suit also alleges Tricare didn't disclose the breach to victims until Sept. 29 in apparent violation of Tricare's own operations manual, which requires notification of beneficiaries as soon as possible in the event of a breach, but not later than 10 days after the breach is discovered, the suit contends.
Tricare's actions and inaction in failing to report the breach in a timely matter “were arbitrary, capricious and without observance of procedures required by law,” it said.
Further, plaintiffs allege that the Defense Department “has been repeatedly informed of recurring, systemic and fundamental deficiencies in its information security, but has failed to effectively respond” representing a “reckless disregard for Tricare members' privacy rights and intentional or willful violations of the Privacy Act.”
Plaintiff's co-counsel, Jeremiah Frei-Pearson, of Meiselman, Denlea, Packman, Carlton & Eberza of White Plains, N.Y., said Tricare, Panetta, and the Defense Department all were responsible for protecting the privacy of the personal healthcare information of military personnel and their dependents.
“They had a duty to protect and follow the law and they didn't do it,” Frei-Pearson said. He declined to comment on why SAIC was not named as a defendant in the suit.
The suit asks that SAIC as well as Tricare be enjoined from transporting confidential information “until an independent panel of experts finds that adequate information security has been established and implemented.”
Spokespersons for Tricare and SAIC were unavailable at deadline to comment on this story.
