The personal information of more than a half million uniformed service members and their families was placed at risk for potential compromise when Science Applications International Corp. was processing military health care data, the company said July 20.
SAIC did not indicate when the incident took place but said it fixed the security lapses as soon as it learned of them and began working with customers to mitigate any negative effects.
SAIC said the Army, Navy, Air Force and Homeland Security Department contracts were in connection with Tricare, the online health benefits program for the uniformed services, retirees and their families.
The company said forensic analysis so far has not uncovered any compromise of the personal information — which could include combinations of names, addresses, Social Security numbers, birth dates and limited health information in the form of codes.
“However, the possibility cannot be ruled out,” the company stated. “SAIC is notifying about 580,000 households, some with more than one affected person.”
The data was stored on a single, SAIC-owned, nonsecure server at a small undisclosed company location, and in some cases was transmitted over the Internet in an unencrypted form.
SAIC announced a series of steps it has taken to prevent a recurrence of the data compromise. The company has:
Conducted a detailed forensic analysis of the server and data, which included assistance from some of the company’s and the government’s top experts in computer security.
Launched an internal investigation using outside counsel to determine exactly how this security failure occurred and placed some employees on administrative leave pending the outcome of the investigation.
Established a companywide task force to ensure that the company responsibly addresses any adverse affect on customers and any affected individuals.
Initiated a systematic, companywide assessment to assure that such lapses do not exist elsewhere in the company and determine whether any changes in policy, methods, tools and monitoring are needed to make sure that such a lapse does not happen again.
SAIC also has hired Kroll to provide services to affected individuals, including an Incident Response Center with extended hours, information resources, and credit and identity restoration services for any victims of related identity theft. These services will be provided at no cost to the government or the affected persons, the company said.
SAIC Chairman and Chief Executive Officer Ken Dahlberg apologized to those affected by the security failure and said, “The security failure is completely unacceptable and occurred as a result of clear violations of SAIC’s strong internal [information technology] security policies.”
The Veterans Affairs Department in May 2006 was the victim of the largest personal data breach in history when a laptop computer containing the medical records of about 26.5 million veterans and their families was stolen from the home of a VA employee. The FBI later recovered it and said testing indicated that the records had not been compromised. Several top VA officials resigned or were fired as a result.
David Hubler writes for Washington Technology, an 1105 Government Information Group publication.
From the battlefield to the home front: Managing medical data
Government Health IT presents Col. Claude Hines Jr., program manager for the Defense Health Information Management System, in this recent InSight eSeminar. Col. Hines discusses the health information technology and tactical challenges faced by the military medical community in Iraq, Afghanistan and other areas of conflict. In doing so, he describes the current information technology solutions for transferring clinical data between battlefield care givers to health care personnel at military treatment facilities worldwide.
