TRICARE to Brief Congress on Breach

Military Program Criticized for 'Failing to Address Concerns'
TRICARE to Brief Congress on Breach

Members of Congress have again expressed serious concerns about security measures at TRICARE, the military health program, in the wake of a September 2011 breach affecting 4.9 million individuals. TRICARE officials have agreed to brief lawmakers about security issues.

See Also: Virtualization: Your Untapped Advantage Against Cyberattacks

Last December, several members of Congress sent a letter to TRICARE posing many questions about the breach as well as security procedures (see: Congress Probes TRICARE Breach). TRICARE submitted a response to the inquiry, and the members of Congress recently told TRICARE in a letter that the response "fails to address many of our concerns."

A TRICARE spokesman confirms to HealthcareInfoSecurity that officials with the military health program will brief members of Congress this month.

Breach Details

In the breach incident last year, a TRICARE business associate, Science Applications International Corp., reported that unencrypted computer backup tapes containing TRICARE patient information were stolen from an SAIC employee's car. SAIC had been hired to transport backup tapes to a secure location.

The breach affecting beneficiaries of the Defense Department's TRICARE health program, which serves active-duty troops and their dependents, as well as military retirees, is the largest reported since the HIPAA breach notification rule went into effect in September 2009.

Information on the breached tapes may have included Social Security numbers, names, addresses, phone numbers and some personal health data, such as clinical notes, lab tests and prescriptions, TRICARE reported. The tapes did not contain any financial data.

Seven class action lawsuits have been filed in connection with the breach incident (see: SAIC Explains Insurance for Breach).

Congressional Concerns

In a letter to TRICARE last month, four members of Congress, including Rep. Edward Markey, D-Mass., said that the information the health program provided in response to their inquiry "raises a number of additional significant questions about TRICARE's ability to protect the health privacy of members of our military."

The letter continues: "We remain deeply concerned that TRICARE is not adequately safeguarding this sensitive information, to the detriment of millions of service members and their families. Accordingly, we call on TRICARE to promptly implement major, meaningful reforms to ensure the security of the personal information it collects, maintains and manages on behalf of those who serve in the Armed Forces."

The Congressional letter stresses that TRICARE's continued lack of a mandate that its contractors handling sensitive information, including SAIC, encrypt data before transporting it is "unacceptable." Plus, it criticizes TRICARE's explanation about why all the information on the stolen tapes was not properly encrypted. "It appears that TRICARE blames its lack of adequate security protections on a 'legacy' system with 'no available technical solution for encryption' to meet federal standards. Such limitations do not excuse TRICARE's and its contractor's lax treatment of such sensitive data."

The letter also chastises TRICARE for continuing to rely on the physical transport of backup tapes. "Despite the fact that this is as least the second incident involving the theft of SAIC's computer backup tapes, TRICARE has still not abandoned the physical transport of such data in favor of electronic transmission over a secure virtual private network."

In addition, the letter questions why TRICARE hired SAIC "for such sensitive work" given SAIC's "history of serious security failures."

The TRICARE spokesman would not comment on the letter, other than to say that the military health program was preparing a response.

In its earlier reply to Congress, however, TRICARE stated that SAIC "is one of a limited number of contractors with the requisite skills and knowledge base capable of performing the complex tasks" associated with maintaining TRICARE's various systems.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network