WASHINGTON — TRICARE is reviewing its current data protection security policies and procedures in response to a data breach that involved personal information on an estimated 4.9 million military clinic and hospital patients.
A $4.9 billion class-action lawsuit that was filed against DoD in response to the breach states that TRICARE “flagrantly disregarded plaintiffs’ privacy rights by intentionally, willfully and recklessly failing to take the necessary precautions required to protect the personal identification information of 4,900,000 people from unauthorized disclosure.”
According to TRICARE, the data had been contained on backup tapes from an electronic health care record used in the military health system to capture patient data from 1992 through Sept. 7, 2011. The backup tapes included Social Security numbers, addresses and phone numbers, as well as some personal health data, such as clinical notes, laboratory tests and prescriptions and involved patients who received care in military treatment facilities in the San Antonio area. The agency said that no financial data was contained on the backup tapes.
Science Applications International Corp. (SAIC), the defense contractor that reported the data breach, is reviewing its data protection security policy and procedures.
TRICARE said on its website that the “risk of harm to patients is judged to be low, despite the data elements involved, since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.”
The plaintiffs in the case include Virginia Gaffney, her two children and Adrienne Taylor. Taylor is described in the lawsuit as an Air Force veteran and a spouse of a member of the Armed Services; Gaffney is described as the spouse of a decorated war veteran.
As a result of the data loss, the lawsuit stated that Gaffney and Taylor “incurred an economic loss” as a result of having to purchase a credit monitoring service and suffered “emotional upset” as a result of the invasion of privacy.
TRICARE has told beneficiaries on a notice posted on its website that they can monitor their credit and place a free fraud alert on their credit for a period of 90 days using the Federal Trade Commission (FTC) website. The agency also plans to send out letters to beneficiaries who may have been impacted by the data breach.