Stop me if you’ve heard this one — a car is burglarized, and hardware goes missing that turns out to have sensitive personal data on thousands of beneficiaries, employees, patients and customers. Same old story — but in the millions this time.
Medical information on nearly 5 million military clinic and hospital patients was on backup tapes stolen from a contract employee of TRICARE, the federal health plan for active and retired military personnel and their families. The tapes were from an electronic health record that compiled data on the past 20 years’ worth of patients in San Antonio-area military treatment facilities.
The information on these patients may include Social Security numbers, contact information and “some personal health data such as clinical notes, laboratory tests and prescriptions,” according to a notice on TRICARE’s website. The tapes were in transit between federal facilities, but were left in the parked car all day before being stolen along with the vehicle’s stereo and navigation device, according to local news reports.
In their notice, TRICARE and contractor Science Applications International Corp. (SAIC) downplayed the risk of harm. Actually getting at the data would require special equipment and knowledge of the hardware, software and system, they said. (Note: that excludes the possiblity that an employee — who can access SAIC equipment and knows the hardware — stole the tapes).
TRICARE and SAIC plan to notify the affected individuals by letter over the next four to six weeks, but are not offering credit monitoring and restoration services. (Note: Presumably, the cost of purchasing such services for this many people would be astronomical, and would come from the taxpayers.) Not only would a potential identity thief have a hard time extracting the data, but it doesn’t even include financial identifiers like credit card and bank account numbers, the notice explains.
SAIC set up an Incident Response Call Center for individuals seeking further information about the loss of PHI, which includes prescription drug and lab work info. The toll free number is 855.366.0140 in the U.S.
The fact that routine breaches like this one can still befall big, sophisticated, security-conscious organizations like TRICARE and SAIC — a major federal contractor whose clients include HHS — obviously reinforces the need for measures like ongoing training and formalized disciplinary policies, to minimize the chance that one employee will become that “weak link.”
Information on HIPAA breach notification and other privacy and security issues can be found in the Employer’s Guide to HIPAA Privacy Requirements.