Suit Hits Pentagon Over Huge 2011 Data Breach
The bad news piled up quickly for Carol Keller late last year. She was informed in December that her personal and medical information had been stolen nearly four months earlier when a Pentagon contractor left 25 computer tapes in the back seat of a Honda Civic in Texas. That explained the fraudulent purchases from her debit account, the Revere woman contends.
Keller, who is married to a disabled Air Force veteran and relies on the Pentagon-run health insurance program called TRICARE, is among 70,000 military personnel, retirees, and their families across New England who are grappling with the potential fallout of one of the largest-ever breaches of medical data. Nationally, as many as 4.7 million people may be vulnerable.
Keller insists the theft and unauthorized purchases are related and has joined nearly a dozen others in a class-action lawsuit seeking unspecified damages. Frustrated lawmakers and privacy specialists say the case spotlights what they contend is an ill-designed health system, in which the Pentagon relies on contractors and outdated computer storage technologies to house and transport personal information.
As a result of the outdated system, they say, those who risk their lives for the nation face undue risk of invasion of privacy and identity theft, and national security could be compromised.
“The bottom line is that people in charge of safeguarding our service members’ personal data need to transition from the 20th century to the era of iPads,” said Representative Edward J. Markey, who is demanding more answers from the Pentagon on its medical privacy policies. “TRICARE had given me no assurance that it is moving toward such a modern system.”
Many of the questions concerning standards and technology center on the Pentagon’s use of contractor Science Applications International Corp. The contractor alerted Keller to the September breach weeks later - in a letter titled “urgent.”
According to the lawsuit filed in federal court in Washington, one of three pending across the country, the breach was the latest involving the contractor, which receives about $20 billion a year in Pentagon contracts.
The contractor “has experienced no fewer than six security failures” since 2005 involving privacy data, the suit alleges, including a break-in at a company facility in California in 2005 in which the Social Security numbers and financial transactions of 45,000 top military and intelligence officials were stolen.
Two years later, the company announced that the health records of nearly 900,000 soldiers, their family members, and other government employees were compromised when they were transmitted online without encryption.
“We don’t know what specific instances that they are talking about, whether they are SAIC, whether they might be a vendor of some kind to us, and we don’t want to get into a dialogue about pending litigation,” said Vernon Guidry, a spokesman for Science Applications International Corp., also known by its acronym.
But he insisted that the company has no evidence that the information on the computer tapes stolen last year from a San Antonio parking garage was accessed by outsiders. Moreover, Guidry maintained it would be difficult to decipher the tapes.
“Reading the data on the tapes would require knowledge of and access to specific hardware and software, which is commercially available, but would also require knowledge of the system and data structure on the tapes,” Guidry said.
Some privacy specialists, however, said that would not be much of a barrier for those seeking a high payoff. In the rapidly advancing world of data protection, computer tapes are considered archaic.
“To read that, you need to get your hands on the proper equipment, but the value of the data itself makes it worth the effort for identity thieves,” said Lillie Coney, associate director of the Electronic Privacy Information Center, a public interest research group in Washington.
The contractor uses portable reel-to-reel tapes to store the data, relying on an operating system originally designed in 1977. Such technology is so outdated that there is no way to encrypt the data - standard procedure for storage systems today.
That detail infuriates Markey. “At minimum, TRICARE should require that its contractors, including SAIC, encrypt data before transporting it to a different location,” he said. “Yet even after experiencing multiple instances of physical data theft … TRICARE still does not mandate that its contractors handling sensitive information implement such a common sense risk mitigation practice.
“This is unacceptable,” Markey told TRICARE director Jonathan Woodson in a letter.
The backup tapes, which were being transferred by a Science Applications International employee, contained Social Security numbers, names, addresses, and phone numbers, as well as health data such as clinical notes, laboratory tests, and prescriptions for members of the military, veterans, and their families who received care from the military health system between 1992 and Sept. 7, 2011.