By Steve Vogel
The letter that arrived Saturday at the home of Fred MacLean in Fayetteville, N.C., held bad news: Computer backup tapes containing the retired Army chaplain's personal information with the military's Tricare health system had been stolen.
MacLean is hardly the only one receiving bad news. Letters are being sent this month and next to the homes of all 4.9 million Tricare military beneficiaries whose personal data has been stolen in one of the largest health-data breaches ever reported.
The data on the tapes include names, Social Security numbers, addresses, birth dates, phone numbers and laboratory tests, but not any financial data such as credit card or bank information, according to the letter from Science Applications International Corp., a defense contractor for the Tricare Management Activity.
The tapes were stolen Sept. 12 from the car of an SAIC employee in San Antonio who was transporting the data from one federal facility to another as part of required backup procedures. The theft was publicly revealed on the Tricare website and publicized in late September. But many beneficiaries, including MacLean, are just learning the news with the arrival of the letters.
When MacLean's wife, Adrianne, called SAIC and Tricare for more information, she said that everyone she spoke to offered reassurance.
"They all told me it was encrypted and I had nothing to worry about," she said. "You're crazy if you think I'm not worried."
In fact, "most of the data was not encrypted," SAIC spokesman Vernon Guidry said this week.
Austin Camacho, a Tricare spokesman, said: "If that's something that's being put out, they need to fix that in a hurry."
Following an inquiry from The Washington Post, SAIC said it "reinforced with our call center personnel their previous instruction that they should not say the data were encrypted."
Despite the data theft and the lack of encryption, SAIC and Tricare say the risk to beneficiaries is low. "The chance that your information could be obtained from these tapes is low since accessing, viewing and using the data requires specific hardware and software," the SAIC letter states.
"There aren't a lot of people who know how to do it, or have the equipment," Camacho said.
"At this time, we have no evidence to indicate the data on the backup tapes has been accessed, viewed or used by others in any way," the SAIC letter states.
Nonetheless, SAIC is facing a class-action lawsuit filed in Texas seeking up to $4.9 billion in damages on behalf of affected beneficiaries. A separate class-action lawsuit has been filed seeking $4.9 billion in damages from the Defense Department.
"We take this incident very seriously," Brig. Gen. Bryan Gamble, deputy director of the Tricare Management Activity, said in a statement. "The risk to our patients is low, but the Department of Defense is taking steps to keep affected patients informed and protected."
Adrianne MacLean is not reassured. "Tricare was pointing the finger at SAIC, and SAIC says, 'It's not our fault,' " she said. "Nobody had good answers for me."
SAIC has received reports from beneficiaries who fear their information is being misappropriated. The company is looking into whether the cases are linked to the data theft, Guidry said. SAIC is about halfway through the mailing and expects it to be completed in early December, he added.
Procedures for backing up computer data have been changed. "The tapes are no longer transported," said Guidry, who declined to discuss how the information is now being backed up.
The employee from whom the tapes were stolen no longer works for the SAIC, said Guidry, but he declined to say whether his departure was related to the incident.