The breach occurred when unencrypted backup tapes were stolen from the parked car of an employee of a TRICARE business associate, Science Applications International Corp. The lawsuit does not list SAIC as a defendant. Instead it names TRICARE, the Department of Defense and Defense Secretary Leon Panetta.
A TRICARE spokesman declined to comment on the lawsuit. Earlier, TRICARE confirmed that the tapes may have included Social Security numbers, names, addresses, phone numbers and some personal health data, such as clinical notes, lab tests and prescriptions. The tapes did not contain any financial data.
The suit, filed by the law firm Shulman, Rogers, Gandal, Pordy & Ecker, seeks $1,000 in damages for each of the 4.9 million TRICARE beneficiaries who had information on the tapes, alleging violations of the Privacy Act of 1974 and the federal Administrative Procedure Act. It alleges "intentional, willful and reckless violations of the privacy rights" of the beneficiaries.
The defendants' "inexplicably failed to properly encrypt the information," the suit states. It also alleges that TRICARE "authorized an untrained or improperly trained individual to take the highly confidential information off of government premises and to leave the unencrypted information in an unguarded car parked in a public location, from which it was stolen..."
Credit Monitoring SoughtIn addition to seeking $4.9 billion in damages, the lawsuit asks the court to require the defendants to offer the affected beneficiaries free credit monitoring.
When it recently announced plans to notify those affected by the breach, TRICARE noted that it did not plan to offer free credit monitoring. "Reading the tapes takes special machinery," a TRICARE statement noted. "Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low."
The lawsuit asks the court to bar DoD and TRICARE from transferring any records subject to the Privacy Act "until an independent panel of experts finds that adequate information security has been established and implemented."
In addition, the suit asks the court to prohibit DoD and TRICARE from transporting any confidential records off government property "unless the records are fully and properly encrypted." It also asks the court to prevent the defendants from transporting confidential records "by any non-secure means, including unprotected cars." And it asks that SAIC be prohibited from accessing or transporting confidential TRICARE information until an independent panel confirms the company has taken adequate security precautions.