New Offer for TRICARE Breach VictimsSAIC to Supply Free Credit Monitoring
Earlier, TRICARE had announced that it would not offer credit monitoring services, citing the minimal risk involved in the breach, which involved backup tapes stolen from an SAIC employee's car (see: TRICARE Breach Notification in Works).
"SAIC will also conduct an analysis of all available data to help TRICARE determine if identity theft occurs due to the data breach," says Austin Camacho, chief of public affairs for TRICARE Management Activity.
Letters notifying victims about the breach and offering free credit monitoring are being mailed this month, Camacho says. SAIC confirmed earlier that it is picking up the notification costs.
A TRICARE statement on the organization's website, updated the afternoon of Nov. 4, confirms the offer of free credit monitoring through SAIC. The letter does not make it clear why TRICARE changed its position on offering credit monitoring. But in a news release, Brigadier General W. Bryan Gamble, TRICARE Management Activity deputy director, says, "We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will be unaffected by this breach."
A class action lawsuit has been filed against the Department of Defense and TRICARE, alleging "intentional, willful and reckless violations of the privacy rights" of the beneficiaries as a result of the breach. It seeks $1,000 in damages for each person affected, or a potential total of $4.9 billion. The lawsuit also sought to force TRICARE and DoD to offer free credit monitoring.
TRICARE Incident Details
The TRICARE breach is the largest reported since the HIPAA breach notification rule went into effect in September 2009. The Defense Department's TRICARE healthcare program, which serves active-duty troops and their dependents, as well as military retirees, said SAIC reported backup tapes were stolen from the car of an SAIC employee that was parked outside an SAIC facility in San Antonio.
Information on the breached tapes about patients treated in San Antonio-area military facilities may have included Social Security numbers, names, addresses, phone numbers and some personal health data, such as clinical notes, lab tests and prescriptions, TRICARE reported. The tapes did not contain any financial data.
In the wake of the TRICARE incident, the DoD and two other government agencies issued a proposed rule designed to help ensure that government contractors provide adequate privacy training to their staff members (see: Training Proposed After TRICARE breach ).
Breach Tally Grows
With the addition of the recent TRICARE and Nemours breaches to the federal tally, the government now estimates that more than 18 million individuals have been affected by health information breaches since September 2009.
On Nov. 4, the Department of Health and Human Services' Office for Civil Rights updated its "wall of shame" tally of major health information breaches to include these two incidents.
The Sept. 13 TRICARE breach affected almost 5.2 million individuals, according to the updated federal tally. But Comacho says that figure is inaccurate. TRICARE initially informed OCR that 5.2 million were affected, but lowered its estimate to 4.9 million once it removed duplicates, he stresses.
The Aug. 10 breach at Nemours, a children's health system, affected slightly more than 1 million, according to the federal tally. But Nemours spokesman John Grabusky says the incident actually affected 1.6 million, as it originally announced. That figure includes about 1 million patients, plus guarantors, vendors and employees. So it appears that OCR only included the patients in its tally.
The OCR tally now lists 364 breach incidents affecting a total of about 18.2 million individuals. The list accounts for incidents affecting 500 or more individuals that have occurred since the HIPAA breach notification rule took effect.
Officials at OCR said Nov. 4 that they could not comment on the details of the tally for the TRICARE and Nemours incidents until consulting with investigators.
In the Nemours incident, a locked cabinet containing three unencrypted back tapes was reported missing. The cabinet is believed to have been removed during a facility remodeling project, Nemours said in a statement.
Patient billing and employee payroll information on the tapes, missing from a Wilmington, Del., facility, includes names, addresses, dates of birth, Social Security numbers, insurance information, medical treatment information and direct deposit bank account information, Nemours reported. The organization is offering those affected one year's worth of free credit monitoring and identity theft protection.
Notification is expected to be completed the week of Nov. 7, Grabusky says. The cabinet and tapes have not yet been recovered, and it has no evidence the tapes have been accessed, he adds.
Nemours is taking steps to improve security, including encrypting backup tapes, storing nonessential backup tapes at a secure offsite facility, increasing physical security for tapes stored onsite, and "enhancing backup tape destruction protocols," Grabusky says. The organization has hired an independent consultant "to do a best practice audit for backup tapes," he adds. That could lead to further changes in data storage policies.