Tricare Breach Shows Health Care Groups Still Not Encrypting Patient Data

Despite various federal mandates requiring organizations to encrypt their data, the breach of 4.9 million patient records at a military health care provider shows few are doing so.

Last week's data breach of patient health records at a military health care provider is a sign that major organizations are still not properly encrypting their data, despite compliance regulations.

Tricare, a provider of health care services to active and retired military personnel, disclosed Sept. 29 that a third-party technology contractor had misplaced backup tapes containing sensitive patient health information while transferring them between Federal facilities in San Antonio, Texas. The data breach could potentially affect 4.9 million patients, Tricare said.

While some of the data may have been encrypted, it's not yet known exactly what information was protected. Tricare said the risk to affected patients was "low" since retrieving the data stored on the tapes would "require knowledge of and access to specific hardware and software, [and] knowledge of the system and data structure," the company said in a statement.

While there are situations in which the urgency to encrypt data would seem quite low, once the tapes are taken outside the data center and transported out in the "exposed world," risk goes up exponentially, Lark Allen, executive vice president of business development, wrote on the Wave Systems blog.

Under the Health Insurance Portability and Accountability Act's breach-notification rule, data breaches involving data that was fully encrypted to meet a federal standard do not have to be reported. The fact that Tricare did disclose the incident was an indication the data was not fully protected.

It appeared that Tricare does not have a policy in place mandating that backup tapes be encrypted. SAIC and Tricare were in the midst of deploying a system that would encrypt all data to comply with federal mandates, such as the Federal Information Security Management Act, and had made a "good faith" effort to protect some of the data, according to Allen.

Data-protection laws are "crystal clear" about how data must be stored, Allen said. Data must be encrypted, and it must follow defined processes, according to Allen.

While employees need to be trained to understand the importance of keeping data private, organizations have to assume that information could potentially be exposed, Geoff Webb, senior product manager at Credant Technologies, told eWEEK. Organizations need a combination of tools to protect their environment and data, including data-centric security measures such as encryption, according to Webb.

The lost backup tapes contained health care information from 1992 to Sept. 7, 2011, for patients who visited a military treatment facility in the San Antonio, Texas-area or either filled a pharmacy prescription or had laboratory tests done at one of the facilities.