TRICARE, which provides civilian health benefits for military personnel, military retirees and their dependents, announced on Wednesday that Science Applications International (SAIC) has reported a data breach involving personally identifiable and protected health information (PII/PHI) impacting an estimated 4.9 million military clinic and hospital patients.
The breach was reported by SAIC on Sept. 14 and involved backup tapes from an electronic healthcare record used in the Military Health System (MHS) to capture patient data from 1992 through Sept. 7, 2011, from patients who received care in the San Antonio area military treatment facilities (including the filling of pharmacy prescriptions) and others whose laboratory workups were processed in these same facilities even though the patients were receiving treatment elsewhere.
[Editor's Desk: This Week in Government Health IT.]
The back-up tapes may have included Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions, but officials said there was no financial data, such as credit card or bank account information.
Officials said they delayed posting a notification about the breach for two weeks because they did not want to cause “undue alarm” and wanted to be able to assess the risk to the public, which they have determined is low.
“The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure,” TRICARE officials said.
The incident is under investigation and officials said additional information will be published as soon as it is available.
SAIC and TRICARE Management Activity (TMA) officials said they are also reviewing current data protection security policies and procedures to prevent similar breaches in the future.
SAIC has created an Incident Response Call Center for what it refers to on its website as “reported loss” of back-up computer tapes for patients who believe they may have been impacted.