Tricare Breach Shows Health Care Groups Still Not Encrypting Patient Data

By Fahmida Y. Rashid  |  Posted 2011-10-03

Tricare Breach Shows Health Care Groups Still Not Encrypting Patient Data

Last week's data breach of patient health records at a military health care provider is a sign that major organizations are still not properly encrypting their data, despite compliance regulations.

Tricare, a provider of health care services to active and retired military personnel, disclosed Sept. 29 that a third-party technology contractor had misplaced backup tapes containing sensitive patient health information while transferring them between Federal facilities in San Antonio, Texas. The data breach could potentially affect 4.9 million patients, Tricare said.

While some of the data may have been encrypted, it's not yet known exactly what information was protected. Tricare said the risk to affected patients was "low" since retrieving the data stored on the tapes would "require knowledge of and access to specific hardware and software, [and] knowledge of the system and data structure," the company said in a statement.

While there are situations in which the urgency to encrypt data would seem quite low, once the tapes are taken outside the data center and transported out in the "exposed world," risk goes up exponentially, Lark Allen, executive vice president of business development, wrote on the Wave Systems blog.

Under the Health Insurance Portability and Accountability Act's breach-notification rule, data breaches involving data that was fully encrypted to meet a federal standard do not have to be reported. The fact that Tricare did disclose the incident was an indication the data was not fully protected.

It appeared that Tricare does not have a policy in place mandating that backup tapes be encrypted. SAIC and Tricare were in the midst of deploying a system that would encrypt all data to comply with federal mandates, such as the Federal Information Security Management Act, and had made a "good faith" effort to protect some of the data, according to Allen.

Data-protection laws are "crystal clear" about how data must be stored, Allen said. Data must be encrypted, and it must follow defined processes, according to Allen.

While employees need to be trained to understand the importance of keeping data private, organizations have to assume that information could potentially be exposed, Geoff Webb, senior product manager at Credant Technologies, told eWEEK. Organizations need a combination of tools to protect their environment and data, including data-centric security measures such as encryption, according to Webb.

The lost backup tapes contained health care information from 1992 to Sept. 7, 2011, for patients who visited a military treatment facility in the San Antonio, Texas-area or either filled a pharmacy prescription or had laboratory tests done at one of the facilities.

Backup Tapes Stolen in Car Break-In

The exposed information includes names, Social Security numbers, addresses, phone numbers, diagnoses, treatment information, provider names, provider locations and other health data such as clinical notes, laboratory tests and prescriptions. The tapes did not contain financial data, credit card or banking information. The data on the tapes came from an electronic health care application used to capture patient data.

The tapes were stolen from the car of an employee at Science Applications International Corporation (SAIC), a contractor for Tricare that handles data storage. According to a police report filed Sept. 14 in San Antonio, the burglary occurred during the day on Sept. 13 in the parking lot of a local SAIC facility when someone broke into a car through a vent window. SAIC reported the breach to Tricare Sept. 14, but the health care company waited two weeks to determine the risk to patients.

"Tricare and SAIC are working together to identify as quickly as possible all beneficiaries whose information may have been involved in the breach and notify as appropriate," Tricare said in a statement. SAIC posted a note on its main Website that it had established an incident response call center for people looking for more information about the incident. Tricare will not provide credit card monitoring to affected victims.

The incident underscores the challenges facing organizations with sensitive information, Webb said. The idea of protected information staying inside a network perimeter is "effectively dead," as organizations need to share data with partners, customers and contractors, according to Webb.

According to, the five biggest health information breaches since September 2009 all involved misplaced drives and laptops. In each of the incidents, data was not properly encrypted.

With 4.9 million potential victims, Tricare would be the largest health information breach reported since September 2009, found. Prior to Tricare, the largest breach involved 1.9 million individuals covered by health insurer Health Net after IBM misplaced server drives in January.

Backup tapes containing health records for 1.7 million patients belonging to the New York City Health and Hospitals Corporation were stolen from an armored truck in December 2010. More than 1.2 million AvMed Health Plans members had their data compromised in December 2009. Finally, 57 unencrypted hard drives with data on about 1 million patients were stolen from a BlueCross BlueShield of Tennessee facility in October 2009.

The largest health care data breach was in 2006, when a Department of Veterans Affairs laptop containing information on 26.5 million veterans was stolen. After the incident, the VA mandated that all laptops must be encrypted.


Rocket Fuel