thedrifter
07-20-07, 10:50 AM
900,000 health records possibly compromised
By William H. McMichael - Staff writer
Posted : Friday Jul 20, 2007 11:32:42 EDT
The personal health care records of close to 900,000 troops, family members and other government employees stored on a private defense contractor’s nonsecure computer server were exposed to compromise, the company announced Friday.
SAIC said the information, maintained under several Tricare health care contracts with the Defense Department, included combinations of names, addresses, Social Security numbers, birth dates and/or “limited health information in the form of codes.” It was stored on a single, SAIC-owned, nonsecure server “at a small SAIC location” and was in some cases transmitted over the Internet in an unencrypted form. The information was exposed while being processed, the company said.
Although SAIC announced the data breach Friday, the company acknowledged it has known about the problems since May 29, when U.S. Air Forces Europe notified SAIC that it had detected “an unsecure transmission of personal information concerning uniformed service members and other individuals,” according to a SAIC press release.
However, SAIC had concerns about a potential problem even earlier. Two weeks before USAFE contacted the contractor, SAIC shut down the server “based on general concerns regarding the security of transmissions,” the press release said. SAIC confirmed that personal information had, in fact, been transmitted in a nonsecure manner and stored on an unsecured computer.
SAIC officials said the security lapses were “remedied” once they were discovered, and added that forensic analysis has shown no indications that any of the lost personal data was actually compromised. However, “the possibility cannot be ruled out,” the press release said.
SAIC is notifying about 580,000 households, “some with more than one affected person,” according to the release.
Affected are service members and family members of the Army, Navy, Air Force, Marine Corps and the Department of Homeland Security. The breakdown includes 173,939 Army; 151,315 Air Force; 96,925 Navy; 26,171 Marine and 10,415 Coast Guard. All told, SAIC officials said, the breach involves data on 867,000 individuals.
The company has taken full responsibility for the lapse.
“We deeply regret this security failure and I want to extend our apologies to those affected by it,” said chairman and chief executive officer Ken Dahlberg. “The security failure is completely unacceptable and occurred as a result of clear violations of SAIC’s strong internal IT security policies.
“In this instance, we did not live up to the high level of performance that our customers have learned to expect and demand from us,” Dahlberg said. “We let down our customers and the service members whom we support. For this, we are very sorry.”
SAIC said the company is working with the affected agencies to “mitigate any potential inconvenience or harm” the security lapse may have caused. It has retained Kroll Inc. to help out those affected, opening an Incident Response Center with extended hours, information resources and credit and identity restoration services for any victims of related identity theft. All will be provided at no cost to the government or affected persons, SAIC said.
The company has also launched an internal investigation to determine how the security lapse occurred and has placed “a number” of employees on administrative leave pending the investigation’s outcome, according to the press release.
Read the SAIC response
www.saic.com/response/
Ellie
By William H. McMichael - Staff writer
Posted : Friday Jul 20, 2007 11:32:42 EDT
The personal health care records of close to 900,000 troops, family members and other government employees stored on a private defense contractor’s nonsecure computer server were exposed to compromise, the company announced Friday.
SAIC said the information, maintained under several Tricare health care contracts with the Defense Department, included combinations of names, addresses, Social Security numbers, birth dates and/or “limited health information in the form of codes.” It was stored on a single, SAIC-owned, nonsecure server “at a small SAIC location” and was in some cases transmitted over the Internet in an unencrypted form. The information was exposed while being processed, the company said.
Although SAIC announced the data breach Friday, the company acknowledged it has known about the problems since May 29, when U.S. Air Forces Europe notified SAIC that it had detected “an unsecure transmission of personal information concerning uniformed service members and other individuals,” according to a SAIC press release.
However, SAIC had concerns about a potential problem even earlier. Two weeks before USAFE contacted the contractor, SAIC shut down the server “based on general concerns regarding the security of transmissions,” the press release said. SAIC confirmed that personal information had, in fact, been transmitted in a nonsecure manner and stored on an unsecured computer.
SAIC officials said the security lapses were “remedied” once they were discovered, and added that forensic analysis has shown no indications that any of the lost personal data was actually compromised. However, “the possibility cannot be ruled out,” the press release said.
SAIC is notifying about 580,000 households, “some with more than one affected person,” according to the release.
Affected are service members and family members of the Army, Navy, Air Force, Marine Corps and the Department of Homeland Security. The breakdown includes 173,939 Army; 151,315 Air Force; 96,925 Navy; 26,171 Marine and 10,415 Coast Guard. All told, SAIC officials said, the breach involves data on 867,000 individuals.
The company has taken full responsibility for the lapse.
“We deeply regret this security failure and I want to extend our apologies to those affected by it,” said chairman and chief executive officer Ken Dahlberg. “The security failure is completely unacceptable and occurred as a result of clear violations of SAIC’s strong internal IT security policies.
“In this instance, we did not live up to the high level of performance that our customers have learned to expect and demand from us,” Dahlberg said. “We let down our customers and the service members whom we support. For this, we are very sorry.”
SAIC said the company is working with the affected agencies to “mitigate any potential inconvenience or harm” the security lapse may have caused. It has retained Kroll Inc. to help out those affected, opening an Incident Response Center with extended hours, information resources and credit and identity restoration services for any victims of related identity theft. All will be provided at no cost to the government or affected persons, SAIC said.
The company has also launched an internal investigation to determine how the security lapse occurred and has placed “a number” of employees on administrative leave pending the investigation’s outcome, according to the press release.
Read the SAIC response
www.saic.com/response/
Ellie