By Fred W. Baker IIIJuly 23, 2007
WASHINGTON (Army News Service, July 23, 2007) - Data for nearly 600,000 households enrolled in TRICARE stored on a government-contractor's unprotected computer server could have been exposed to hackers, defense officials announced Friday.
"We take this potential data compromise very seriously," said Maj. Gen. Elder Granger, deputy director, TRICARE Management Activity. "The risk has been identified as low, but as a result of this unfortunate event, the Department of Defense is ensuring that steps are taken to keep affected beneficiaries informed."
Beneficiaries' names, addresses, Social Security numbers, birth dates and some health information was stored on a computer server that was not using a firewall and did not have adequate password protection, TRICARE Management Activity officials said.
Officials disabled the server in May, and it is no longer used. Forensic analysis of the server found no evidence that any beneficiary information was compromised, said Leslie Shaffer, assistant privacy officer at the activity.
Science Applications International Corp. maintained the data in Shalimar, Fla., and used it to process several military health-care contracts, including those for customers in the Army, Navy, Air Force and Coast Guard. The server allowed for File Transfer Protocol transmissions of the data to its contract customers.
This is the first time SAIC has violated Defense Department computer security procedures, Ms. Shaffer said.
The TRICARE security breach was discovered after contract customers reported non-secure transmissions of data. SAIC is investigating and some employees have been placed on administrative leave pending the outcome, a company release stated.
"I can assure you that the individuals responsible for managing that server were not following standard operating procedures. DoD has very strict guidance on how we protect sensitive data," Ms. Shaffer said.
Since May, SAIC has been processing the data, matching it with contact information so the beneficiaries could be notified.
"We're taking precautions to do everything we can within DoD, Health Affairs and the TRICARE Management Activity to ensure that our beneficiaries are notified," Ms. Shaffer said. "We have been working closely with SAIC to ensure all our procedures are being followed."
DoD and SAIC are mailing letters this week to beneficiaries whose data was put at risk. An incident response center has been set up to field customer's toll-free calls and information is available through a Web site for those who suspect identity theft, or who want to protect themselves from identity theft.
Beneficiaries who were put at risk are also being offered a free, one-year subscription to an identity restoration service, she said.
"I think anyone who receives a letter should take the protections that are necessary to ensure their data has not been compromised," she said. "Those numbers are available. I would recommend that the beneficiary use those numbers."
The incident response center can be reached toll free within the United States at 1 (888) 862-2680, or collect at 1 (515) 365-3550 from outside the United States.
(Fred W. Baker III writes for the American Forces Press Service.)