Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/4/2011
08:48 AM
50%
50%

Military Health Plan Data Breach Threatens 4.9 Million

Tricare says lost backup tapes fall under FTC jurisdiction, not HIPAA, so only offers 90 days of fraud protection.

12 Advances In Medical Robotics
(click image for larger view)
Slideshow: 12 Advances In Medical Robotics
A data breach involving nearly 5 million people treated at military healthcare facilities over a 19-year period is raising questions about whether U.S. Federal Trade Commission (FTC) rules supersede Health Insurance Portability and Accountability Act (HIPAA) regulations.

Last week, Tricare, the managed care arm of the U.S. government's Military Health System, disclosed that contractor Science Applications International Corp. (SAIC) had lost backup tapes containing personally identifiable information--including some health data--of about 4.9 million people. The tapes contained data from electronic health records (EHRs) used at military hospitals, clinics, and pharmacies in the San Antonio area from 1992 until Sept. 7, 2011.

According to a statement from Tricare, the records may include Social Security numbers, addresses, and phone numbers, as well as clinical notes, prescription information, and some lab data. Tricare said that the tapes did not hold any financial information.

"The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure," according to the Tricare statement. "Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low."

[ Are you prepared if your organization suffers a data breach? See Data Breach Response Plans: Yours Ready?]

Tricare said that SAIC reported the breach on Sept. 14. Citing a police report, the San Antonio Express-News reported that the tapes were stolen from an SAIC employee's car during a burglary the night before.

The Tricare statement said that the U.S. Department of Defense and SAIC are working to identify all individuals whose data were compromised and that Tricare will sent notifications by mail. The process is expected to take 4-6 weeks.

People affected will not be provided with any private credit monitoring services. "The risk of harm to patients is judged to be low despite the data elements involved," the Tricare notice said. Tricare is directing enrollees to a FTC site where individuals can place a free, 90-day fraud alert on their personal credit ratings.

"It's clear that Tricare is trying to position this under Federal Trade Commission regulations, not under HIPAA regulations," Ruby Raley, director of healthcare solutions at IT integration and security company Axway, Scottsdale, Ariz., told InformationWeek Healthcare.

Unlike HIPAA, FTC regulations don't require entities to sign agreements with "business associates" that hold third parties to the same standards when handling sensitive data. Also, HIPAA regulations require organizations to provide a year of credit monitoring to anyone who may have been affected by a breach. "They're only [offering] fraud protection for 90 days," Raley said of Tricare.

As of Monday, the incident had not been posted on the Department of Health and Human Services' list of breaches affecting at least 500 people, commonly called the "wall of shame." The 2009 American Recovery and Reinvestment Act calls for covered entities to report major HIPAA breaches to the HHS Office for Civil Rights if the data was not encrypted.

Tricare did not indicate whether SAIC encrypted the information on the stolen tapes, but Raley said, "It's very hard to encrypt a backup tape." Tricare did not respond to a request for comment on the HIPAA issues.

SAIC has not offered a public statement on the incident, but the company's home page references an "Incident Response Call Center."

Anyone concerned that they may have been affected by the theft can call (855) 366-0140 from within the United States or (952) 556-8312 from abroad. This same information is included in Tricare's statement.

Not every application is ready for the cloud, but two case studies featured in the new, all-digital issue of InformationWeek Healthcare offer some insights into what does work. Also in this issue: Keeping patient data secure isn't all that hard. But proposed new regulations could make it a lot harder. Download it now. (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
OTECH000
50%
50%
OTECH000,
User Rank: Apprentice
10/7/2011 | 2:24:19 PM
re: Military Health Plan Data Breach Threatens 4.9 Million
I think it might be TRICARE all caps, but not sure what it stands for.
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-29040
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
CVE-2021-29041
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
CVE-2021-29047
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
CVE-2021-22668
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
CVE-2021-29039
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.