Last week, TRICARE, the health care program for U.S. military members, retirees, and their families put out a statement (PDF) that said that on the 14th of September, "Science Applications International Corporation (SAIC) reported a data breach involving personally identifiable and protected health information (PII/PHI) (PDF) impacting an estimated 4.9 million military clinic and hospital patients." Most of the 4.9 million people affected had been treated in the San Antonio, Texas, region.
Furthermore, the statement said:
"The information was contained on backup tapes from an electronic health care record used in the military health system (MHS) to capture patient data from 1992 through September 7, 2011, and may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions."
A story at Government Executive's website said that the tapes were stolen out of an SAIC employee's parked car at an SAIC facility as he/she was in the process of transporting the tapes between federal facilities in the San Antonio area.
No patient financial information was said to be on the tapes. TRICARE also said that the "...risk of harm to patients is judged to be low despite the data elements involved, since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure."
This may generally be true, but a person deliberately targeting this information to steal would not have that much difficulty accessing it, according to this story from Reuters.
A follow-up story in Government Executive also reported that the TRICARE backup tapes were not encrypted, in violation of Federal standards. According to the story, an SAIC spokesperson said that "...the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with the relevant federal standard."
This is more than a bit surprising, given that the encryption standard has been around since 2002 and the MHS system is one of the most sophisticated—and expensive—electronic health record systems in existence.
The news of the TRICARE data breach crowded out two other medical data-related breach stories from last week. The first was the news in the Minneapolis Star-Tribune that a laptop containing the medical information on 16 000 patients of Fairview and North Memorial hospitals in Minneapolis, Minnesota, was stolen from a parked car in July. The laptop, which contained personal information on most (but not all) of the patients affected including their names, addresses, birth dates, and Social Security numbers, belonged to an insurance and patient services subcontractor to the hospitals.
Surprise, surprise, the information on the laptop was not encrypted, in violation of company policy.
The Star-Tribune story says that the hospitals waited two months to tell anyone about the breach because it needed the time to figure out who was affected. The hospitals wouldn't say why the subcontractor needed that much patient information to be on a laptop in the first place. The hospitals did say they will be offering free identify theft protection to all the patients affected.
The Star-Tribune says this is the second time this year that the Fairview Hospital has had a medical data breach. In April, 1200 patient files were lost and never recovered during an office relocation.
The other medical breach story from last week occurred in Florida. According to the Orlando Sentinel, three Florida Hospital employees were fired after it was discovered that they had accessed the emergency room electronic medical records of some 2250 patients involved in car accidents in Orange, Osceola, and Seminole counties over a period of nearly two years.
The Orlando Sentinel story said that the employees had been passing the emergency medical care information to an attorney-referral service, which was not named. The scheme was discovered when a car-accident victim was contacted by an attorney after her accident. The only way the attorney would have known about the accident, she said, was if the information came directly from the hospital, the story stated.
A Florida Hospital spokesperson said that it was taking the breach "super-seriously" and that it was "...providing all kinds of support services to demonstrate to [those affected] that we take that very seriously."
The three latest breaches should be pushing the number of improper disclosure of medical information in the United States to some 15 million since September 2009.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.