Inside TDV - The Data Vault Blog
Car Break-in Results in Data Breach
As various news outlets have reported since discovery of the September 13 data breach, an employee of government contractor Science Applications International Corporation (SAIC) parked a 2003 Honda Civic in downtown San Antonio, TX, where the car was burglarized. Losses include a car stereo system, a GPS device, and backup tapes containing electronic medical records for an estimated 4.9 million beneficiaries of the military TRICARE system.
The backup tapes were being transferred between government facilities by the employee, who was placed on administrative leave following the breach. Protected health information (PHI) stored on the backup tapes includes Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information stored in the health system from 1992 to September 7, 2011. Among the affected patients of military hospitals and clinics are uniformed Service members, retirees, and their families.
TRICARE reported the breach on September 14 and made a general statement to the public, allowing 4-6 weeks for individual notifications. While TRICARE is directing affected members to place a free fraud alert on their credit for a period of 90 days, they are not offering credit monitoring and restoration services to protect affected individuals against possible identity theft.
According to TRICARE, there is no conclusive evidence that indicates beneficiaries are at risk of identity theft. Likewise, a SAIC spokesperson said that there is no indication of unauthorized data access. Data protection security policies and procedures are under review at both SAIC and TRICARE.
From the records management perspective, this EHR breach highlights the need for an unbroken chain-of-custody to maintain records integrity. According to reports, the backup tapes remained in an employee’s personal vehicle for more than 8 hours. Even if the data breach had been avoided, the authenticity of data transferred between facilities–or even storage locations or systems within a single facility–may be called into question if there is not a well-documented and enforced chain-of-custody.
Although records management measures could have helped prevent the EHR breach, the technology barriers to access the EHRs are the remaining defense against further damage. The data encryption and specific hardware and system requirements limit the potential for meaningful data retrieval from the tapes. According to TRICARE’s public statement, the risk of harm to patients is judged to be low despite the data elements involved.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights is responsible for enforcing HIPAA Privacy and Security Rules. In separate HHS activity, SAIC was awarded a $15 million contract for support services to the HHS Health Resources and Services Administration (HRSA) Data Warehouse (HDW). The contract was awarded after the EHR data breach.
Read the full story on the SAIC Data Breach as reported for the San Antonio Express-News.
Written by: AGriffin