The exposed information includes names, Social Security numbers, addresses, phone numbers, diagnoses, treatment information, provider names, provider locations and other health data such as clinical notes, laboratory tests and prescriptions. The tapes did not contain financial data, credit card or banking information. The data on the tapes came from an electronic health care application used to capture patient data.
The tapes were stolen from the car of an employee at Science Applications International Corporation (SAIC), a contractor for Tricare that handles data storage. According to a police report filed Sept. 14 in San Antonio, the burglary occurred during the day on Sept. 13 in the parking lot of a local SAIC facility when someone broke into a car through a vent window. SAIC reported the breach to Tricare Sept. 14, but the health care company waited two weeks to determine the risk to patients.
"Tricare and SAIC are working together to identify as quickly as possible all beneficiaries whose information may have been involved in the breach and notify as appropriate," Tricare said in a statement. SAIC posted a note on its main Website that it had established an incident response call center for people looking for more information about the incident. Tricare will not provide credit card monitoring to affected victims.
The incident underscores the challenges facing organizations with sensitive information, Webb said. The idea of protected information staying inside a network perimeter is "effectively dead," as organizations need to share data with partners, customers and contractors, according to Webb.
According to HealthcareInfoSecurity.com, the five biggest health information breaches
since September 2009 all involved misplaced drives and laptops
. In each of the incidents, data was not properly encrypted.
With 4.9 million potential victims, Tricare would be the largest health information breach reported since September 2009, HealthCareInfoSecurity.com
found. Prior to Tricare, the largest breach involved 1.9 million individuals covered by health insurer Health Net
after IBM misplaced server drives in January.
Backup tapes containing health records for 1.7 million patients belonging to the New York City Health and Hospitals Corporation
were stolen from an armored truck in December 2010. More than 1.2 million AvMed Health Plans members had their data compromised in December 2009. Finally, 57 unencrypted hard drives with data on about 1 million patients were stolen from a BlueCross BlueShield of Tennessee facility in October 2009.
The largest health care data breach was in 2006, when a Department of Veterans Affairs laptop
containing information on 26.5 million veterans was stolen. After the incident, the VA mandated that all laptops must be encrypted.