On February 8, 2012, TRICARE Management Activity (TMA) learned of a potential compromise involving personally identifiable and protected health information (PII/PHI) impacting 1,175 Military Health System beneficiaries. The data includes patient names, Social Security Numbers, dates of birth, enrollment status, and medical specialty referral information. There was no financial information, such as credit card or bank account information or personal contact information, such as home addresses and phone numbers, involved.
TMA was notified by the Defense Information Systems Agency's Global NetOps Support Center that a file containing the above mentioned information was accessed on February 4, 2012 by an unknown IP address overseas. The file consisted of a presentation that was briefed at a 2003 TRICARE Conference, and contained a hidden, embedded spreadsheet of referral patient record fields that included the personal information. Upon notification, we determined that links to this file had previously been removed from the public web site, but the file remained on the TMA server. Therefore, we immediately removed the file from the server and have confirmed that it is no longer accessible. As of today, we have been unable to determine if, indeed, anyone's information was wrongfully compromised; however, considering the totality of the circumstances, we determined that potentially impacted persons or households would be notified of this incident via letter.
As soon as we learned of the incident, we took steps to identify and locate all of the information embedded within the file, to determine who should receive notification of the incident. While the mailings of notification letters is set to take place this week, we have been unable to ascertain current addresses for an estimated 75 individuals and, therefore, TMA is posting this substitute web announcement in an effort to reach those individuals in which an address was unavailable. Other steps taken, in an effort to prevent any future like-occurrences, include TMA review and enhancement of its security policies, implementation of technical solutions to protect data exposure, and strengthening of network operation security business processes. TMA continuously reviews the security posture seeking to implement solutions to further enhance our protection of beneficiary information.
Anyone who suspects that they were impacted by this incident is urged to take steps to protect their personal information and should be guided by the tips available on the Federal Trade Commission (FTC) Web site. The FTC Web site provides information on protecting your identity against fraud and instructions on placing a free fraud alert on your credit for a period of 90 days at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm.
Concerned patients can contact Ms. Linda S. Thomas, Director, TMA Privacy and Civil Liberties Office, at (703) 681-7500 between 8 a.m. and 5 p.m. Eastern Time or via email, at PrivacyMail@tma.osd.mil.
Questions & Answers
Whose personal information is at risk of compromise?
Specialty care referral data in charts for approximately 1,175 patients was used in worksheets to derive de-identified Power Point charts for an educational conference presentation made in 2003. The underlying individual data is not visible in the Power Point unless someone takes steps to look for it, knowing it is there.
When did this data breach occur?
The report from the Defense Information Systems Agency's Global NetOps Support Center stated the access took place on February 4, 2012. TRICARE Management Activity learned of this data breach on February 8, 2012.
What type of information was lost?
The PII/PHI data elements involved include: names, sponsor's Social Security Numbers if you are not the sponsor, dates of birth, patient name, referral information, and enrollment status. It did not include any financial data, such as credit card or bank account information or any personal contact information, such as phone numbers and home addresses.
Can just anyone access this data?
No. The risk of harm is judged to be moderate since we have no evidence indicating that your information was wrongfully compromised. Also, retrieving the information requires knowledge of its existence and also the skills to recover it. We want you to know that we immediately removed the file from the server and have confirmed that it is no longer accessible to the public.
Why has there been a delay in notifications?
The notifications actually took place within 10 workdays of the time we could locate addresses for the affected individuals, and thus is quite timely. When we were first notified of the incident, we were not sure of the full scope until we worked closely with our Network Operations Division to retrieve and review the files in question. Our comprehensive analysis began with the review of raw data and we didn't know that you were affected by this incident until we completed our analysis and received your name and current address from the Defense Enrollment Eligibility Reporting System on March 6, 2012. As noted, in accordance with DoD regulatory requirements, notification was made within the DoD Regulations' time frame.
What should affected beneficiaries do to protect themselves?
Beneficiaries can monitor their credit and place a free fraud alert on their credit for a period of 90 days using the Federal Trade Commission (FTC) web site. The FTC site also provides other valuable information regarding actions that can be taken now or in the future, should any problems develop. This information is available at: http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/defend.html.
Will credit monitoring and restoration services be provided to protect affected individuals against possible identity theft? If no, why not?
No. To date, we have no conclusive evidence that indicates beneficiaries are at risk of identity theft, and in addition the information is not visible without taking particular steps and knowing already that it is there to be found. However, TMA will continue to monitor this situation and proceed accordingly.
How can affected beneficiaries get more information?
