Sensitive data including Social Security Numbers, names, addresses, phone numbers and personal health data belonging to about 4.9 million active and retired U.S. military personnel may have been compromised after backup tapes containing the data went missing recently.
The information on the tapes was from an electronic healthcare application used to capture patient data. It does not include bank, credit card or other financial data, according to a statement released by TRICARE, a healthcare system for active and retired military personnel and their families.
The breach affects all those who received care at the military's San Antonio area military treatment facilities between 1992 and Sept. 7 of this year. Those affected include individuals who had filled pharmacy prescriptions or had laboratory tests done at any of the facilities, TRICARE said.
As is often typical with such incidents, the information on the backup tapes does not appear to have been encrypted. But in its statement, TRICARE maintained that the risk of the data being misused was low "since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure."
It is not immediately clear how or when Science Applications International Corporation (SAIC), a contractor for the military, discovered the breach. SAIC reported the breach to TRICARE on Sept.14. In an online FAQ, TRICARE said it waited two weeks to go public about the breach so it could first determine the degree of risk to those affected.
"We did not want to raise undue alarm in our beneficiaries" by notifying them about the data loss without first learning more about it, TRICARE said.
Vernon Guidry, vice president for media relations at SAIC, said the removable backup tapes were among items reported stolen from an employee's car. In an emailed statement, Guidry said the SAIC employee was transferring the tapes between federal facilities in San Antonio when they were stolen.
"SAIC is working with the local police department, the Defense Criminal Investigative Services and a private investigator to attempt to recover the backup tapes," Guidry said.
Guidry added that some personal information had been encrypted before being backed up. "However, the operating system used by the government facility ... to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with a particular federal standard," he said, apparently referring to the Federal Information Security Management Act (FISMA). "The government facility was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."
Compromises stemming from the loss of storage media and mobile devices containing unencrypted data are common.
This year alone there have been at least 77 incidents in which laptops, backup tapes, disks and other storage media containing unencrypted data were reported lost or stolen, according to statistics maintained by Privacy Rights Clearinghouse (PRC).
Prior to the SAIC breach, a total of just over 3.2 million records containing personal data had been compromised in such incidents this year, according to the PRC.
Though security analysts have long maintained that data encryption offers a relatively simple and inexpensive way to protect data on such devices, a large number of companies still haven't done so.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.