SAIC Explains Insurance for Breach
Says Lawsuit Settlement Costs Would be CoveredScience Applications International Corp. claims it has enough insurance to cover the costs of potential judgments or settlements stemming from seven class action lawsuits related to a September 2011 breach incident affecting 4.9 million TRICARE beneficiaries. TRICARE is the military health insurance program.
See Also: Effective Communication Is Key to Successful Cybersecurity
In its annual 10-K report filing with the Securities and Exchange Commission, however, SAIC notes the insurance policy has a $10 million deductible. The company states it has already recorded a loss equal to that amount, "representing the low end of the company's estimated loss." The statement adds: "The company believes that, if any loss is experienced by the company in excess of its estimate, such a loss would not exceed the company's insurance coverage."
SAIC is seeking to have seven pending class action lawsuits related to the breach consolidated, and it has filed motions to dismiss in five of the seven cases, it notes in the 10-K report. An eighth class action suit has already been dismissed. The statement, filed March 27, notes the lawsuits seek statutory damages of $1,000 for each individual affected (or $4.9 billion), plus other damages and costs.
The 10-K report acknowledges that the Department of Health and Human Services' Office for Civil Rights is investigating the breach, which stemmed from backup tapes stolen from the parked car of an SAIC employee who was to transport them between federal facilities on behalf of TRICARE. Such investigations, which can take as long as two years, can result in financial penalties and corrective action plans affecting both the covered entity (in this case TRICARE) and a business associate (SAIC).
Based on the total number of individuals affected, the TRICARE breach is the largest so far on the federal tally of major breaches reported since the HIPAA breach notification rule took effect in September 2009.
"There is no evidence that any of the data on the backup tapes has actually been accessed or viewed by an unauthorized person," according to the statement. "In order for an unauthorized person to access or view the data on the backup tapes, it would require knowledge of and access to specific hardware and software and knowledge of the system and the data structure."
SAIC acknowledged earlier, however, that the tapes were not fully encrypted (see: TRICARE Breach Notification in Works). "Some personal information was encrypted prior to being backed up on the tapes," an SAIC spokesman said last year. "However, the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with a particular federal standard. The government facility was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."
A recent amended complaint tied to one of the pending lawsuits contends a handful of victims were victims of financial fraud as a result of the breach (see: TRICARE Breach Victims Report Fraud).
The company is offering those affected by the breach a year's worth of free credit monitoring services and, in certain circumstances, a year of identity restoration services, according to the statement.