One of the Pentagon's largest contractors said it had discovered a data breach affecting as many as 4.9 million patients who have received care from military facilities in San Antonio since 1992.
Science Applications International Corp. said the breach involved backup computer tapes from an electronic health care record. Some of the information included Social Security numbers, addresses, phone numbers and private health information for patients in 10 states.
A statement posted on the Defense Department's Tricare health system website said no credit card or bank account information was on the backup tapes.
Tricare covers military retirees as well as active-duty troops and their dependents.
“The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure,” the website statement said.
Vernon Guidry, a spokesman for SAIC, a McLean, Va.-based scientific, engineering and technology applications firm, could not say when the data from the backup tapes was compromised.
The statement on Tricare's website, however, said the tapes contained information on patients visiting San Antonio military hospitals and clinics or had tests analyzed here from 1992 through Sept. 7. The San Antonio Military Medical Center, formerly BAMC, was apparently unaware of the breach.
The tapes held data on people living throughout Tricare's southern region, which includes Alabama, Arkansas, Florida, Georgia, Louisiana, Mississippi, Oklahoma, South Carolina, Tennessee and Texas with the exception of El Paso.
The data “include, but are not limited to names, Social Security numbers, addresses, diagnoses, treatment information, provider names, provider locations and other patient” information, the two-page statement said. Clinical notes, lab tests and prescription information also may be on the tapes.
Guidry didn't say how the backup tapes were lost. He said the breach “consisted of the loss of storage media, not an electronic breach. There was a loss of magnetic storage media.”
SAIC did not issue a news release about the data breach on its website. One corner of the SAIC home page, though, said an “Incident Response Call Center” had been created for Tricare patients. The firm's brief statement did not use the word breach, instead describing it as a “reported loss of back-up computer tapes containing personally identifiable and protected health information” for Tricare patients.
Guidry said his company “was the custodian of the data when the breach occurred,” and that it was reported to the San Antonio Police Department when discovered Sept. 14.
He said “there was no indication whatsoever” that the data had been used for some illegal purpose and didn't think that was likely. The statement on Tricare's website said it and the company were working to identify beneficiaries whose information may have been involved in the breach.
The release advised the beneficiaries to monitor their credit and seek a free fraud alert for 90 days using a Federal Trade Commission website. Beneficiaries also can call the SAIC Incident Response Call Center from 8 a.m. to 5 p.m. at (855) 366-0140.
SAIC has had data breaches in the past, but Guidry said there was no evidence of similar problems occurring in other parts of his company.
He declined to explain why the breach wasn't revealed sooner, but the statement on Tricare's website said officials waited to make the incident public because “we did not want to raise undue alarm in our beneficiaries and so wanted to determine the degree of risk this data loss represented before making notifications.”