Another 4,900,000 privacy breach statistics

A backup tape containing medical records and other personal information on nearly 5 million US military personnel in the TRICARE scheme has been stolen from an SAIC employee's car. 

TRICARE is a US "health care program serving Uniformed Service members, retirees and their families worldwide".

SAIC (Science Applications International Corporation) is a "scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. We do this with the constant and deliberate commitment to ethical performance and integrity that has marked SAIC since its founding".  It is best known as an IT oursourcer/service provider.

TRICARE's statement "retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure" does not stand up well to scrutiny.  If the data had been strongly encrypted - which is generally accepted as good practice for such confidential information, or "reasonable controls" - then knowledge of hardware, software and data structures wouldn't have been a factor.  Without encryption, yes it might require a professional tape drive to get at the data, and then some time (perhaps months) analyzing the data to establish the data structure.  But if the prize is worth the investment, someone may feel lucky.  Given that the people whose personal information has been stolen include serving US military personnel, the stakes are high.

Did they really have to wait two weeks after discovery before disclosing this 'to avoid raising undue alarm'?  It sounds like their incident management, HIPAA compliance, and relationship management processes could do with a squirt of WD-40. 

TRICARE says "both SAIC and TRICARE Management Activity (TMA) are reviewing current data protection security policies and procedures to prevent similar breaches in the future".  Shame it took an incident of this magnitude to spur them into action.  If I was one of the 4.9 million, or a US taxpayer, I would be calling TRICARE and SAIC management to account for their handling of governance, compliance, policy, privacy and information security.