By Jim Forsyth
SAN ANTONIO (Reuters) - A massive data breach, in which the personal and medical records of millions of military patients and their families were compromised, happened when the records were stolen out of a data contractor's car in San Antonio, officials told Reuters on Thursday.
The information for some 4.6 million active and retired military personnel, as well as their families, was on back up-tapes from an electronic health care record used to capture and preserve patient data from 1992 through September 7 of this year, according to Science Applications International Corp (SAIC).
The families used the federal government's TRICARE health provider. SAIC is the suburban Washington firm that handles military health provider TRICARE's data.
The tapes went missing on September 14 when they were "among items stolen from an employee's car in San Antonio," SAIC spokesman Vernon Guidry told Reuters.
They were in the car, he said, because they were "being transferred from one federal facility to another in compliance with the terms of their contract."
He said there's no indication the car thief was after the tapes or even knew what they were.
SAIC is working with San Antonio police and a private investigator to recover the tapes, Guidry said.
After announcing the breach on Thursday, SAIC officials scrambled to reassure patients the "risk of harm to patients is judged to be low, despite the data elements involved."
"Retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure," SAIC said in a statement released Thursday.
NO FINANCIAL DATA
TRICARE officials say the data on the tapes include Social Security numbers, addresses and phone numbers, and some personal data such as clinical notes, laboratory tests, and prescriptions. No financial data, such as credit card or bank account information, are on the tapes, officials said.
The SAIC statement said the company withheld information about the breach until Thursday so it could "determine the degree of risk this data loss represented before making notifications" so as "to not raise undue alarm in our beneficiaries."
Guidry said the data cover 4.9 million patients who received treatment at military hospitals and military treatment facilities in San Antonio. The breach also includes information for patients who may have been receiving treatment at other military medical facilities, but whose laboratory work or other diagnostic work was done at San Antonio hospitals.
Despite the assurance that the risk is low, computer security expert Dwayne Williams, associate director of the Technology Research Group at the University of Texas San Antonio, said patients should take preemptive steps.
"If somebody intentionally went after this data, they are going to have the right hardware and software to read these files," he said. "This equipment is available and can be purchased on the Internet.
SAIC and TRICARE have set up emergency response centers for patients to call to get help in dealing with the security breach, and help them to place a fraud alert on their credit reports.
TRICARE has a total of 9.6 million enrollees worldwide. It is the HMO and medical service provider for America's active duty and retired military personnel, their families, military reservists, and some civilian Department of Defense workers.
TRICARE said in the statement that it is working with SAIC to "review current data protection security policies and procedures to prevent similar breaches in the future."
Williams said situations like this are "scary," but they're part of modern life.
"If you are a citizen in the modern society, if you have a credit card, if you shop online, if you have information stored, you should anticipate that some day your information will get stolen," he said.
"Data breaches are getting bigger and more common. You should take steps to protect your identity."
(Edited by Karen Brooks and Greg McCune)