Sensitive data including Social Security Numbers, names, addresses, phone numbers and personal health data belonging to about 4.9 million active and retired U.S. military personnel may have been compromised after backup tapes containing the data went missing recently.
The information on the tapes was from an electronic healthcare application used to capture patient data. It does not include bank, credit card or other financial data, according to a statement released by TRICARE, a healthcare system for active and retired military personnel and their families.
The breach affects all those who received care at the military’s San Antonio area military treatment facilities between 1992 and Sept. 7 of this year. Those affected include individuals who had filled pharmacy prescriptions or had laboratory tests done at any of the facilities, TRICARE said.
As is often typical with such incidents, the information on the backup tapes does not appear to have been encrypted. But in its statement, TRICARE maintained that the risk of the data being misused was low “since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.”
It is not immediately clear how or when Science Applications International Corporation (SAIC), a contractor for the military, discovered the breach. SAIC reported the breach to TRICARE on Sept.14. In an online FAQ, TRICARE said it waited two weeks to go public about the breach so it could first determine the degree of risk to those affected.
“We did not want to raise undue alarm in our beneficiaries” by notifying them about the data loss without first learning more about it, TRICARE said.
SAIC did not immediately respond to a request for comment.
Compromises stemming from the loss of storage media and mobile devices containing unencrypted data are common.
This year alone there have been at least 77 incidents in which laptops, backup tapes, disks and other storage media containing unencrypted data were reported lost or stolen, according to statistics maintained by Privacy Rights Clearinghouse (PRC).
Prior to the SAIC breach, a total of just over 3.2 million records containing personal data had been compromised in such incidents this year, according to the PRC.
Though security analysts have long maintained that data encryption offers a relatively simple and inexpensive way to protect data on such devices, a large number of companies still haven’t done so.