A data breach at a military health care provider may have exposed the personally identifiable and confidential information of 4.9 million patients.
The breach affected Science Applications International Corporation (SAIC), a McLean, Va.-based medical research company, and affected patients who received care from 1992 through Sept. 7, 2011, in military treatment facilities (including clinics and hospitals ) in the San Antonio, Texas area through TRICARE, a health care service that pays for medical treatment in civilian facilities for military personnel and their dependents. Patients whose laboratory work was processed in area facilities are also affected.
In a notification, SAIC explained that the information was stored on backup tapes from an electronic health care record, and may include patients' Social Security Numbers, addresses and phone numbers as well as medical data such as clinical notes, laboratory tests, diagnoses, prescriptions and provider names and locations. No financial data such as credit cards or bank account details were stored on the breached tapes.
SAIC spokesperson Vernon Guidry told SecurityNewsDaily that the tapes were "among items reported stolen from the automobile of an SAIC employee" in San Antonio in September. Only some of the stolen records were encrypted in compliance with federal guidelines, Guidry said.
Despite the volume of data stolen, SAIC judges the risk to affected patients to be low, "since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure," the statement reads.
SAIC wrote that there is "no conclusive evidence that indicated beneficiaries are at risk of identity theft," but anyone who suspects they may be affected by the breach are encouraged to monitor their credit.