More Military Medical Records Exposed

Not just military, but dependant too. I hope none of you all are caught up in this.

Data security lapse affects almost 900,000
By William H. McMichael - Staff writerPosted : Friday Jul 20, 2007 15:38:36 EDT

The coded personal health care records of nearly 900,000 troops, family members and other government employees stored on a private defense contractor’s nonsecure computer server were exposed to compromise, the company announced Friday.

SAIC said the information, maintained under several health care contracts with the government, included combinations of names, addresses, Social Security numbers, birth dates and/or “limited health information in the form of codes.” It was stored on a single, SAIC-owned, nonsecure server in Shalimar, Fla., and was in some cases transmitted over the Internet in an unencrypted form. The information was exposed while being processed, the company said.

SAIC said a forensic analysis by top computer security experts “has not yielded any information that any personal information was actually compromised,” but added that “the possibility cannot be ruled out.”

Although SAIC announced the data breach Friday, the company acknowledged it has known about the problem since May 29, when U.S. Air Forces Europe notified SAIC that it had “detected an unsecure transmission of this personal information,” said SAIC spokeswoman Connie Custer.

However, SAIC had concerns about a potential problem even earlier. Two weeks before USAFE contacted the contractor, SAIC shut down the server “based on general concerns regarding the security of transmissions,” SAIC spokeswoman Melissa Koskovich said. SAIC confirmed that personal information had in fact been transmitted in an unsecure manner and stored on an unsecured computer.

Koskovich said the server has been shut down ever since. Neither she nor Custer knew the length of time over which the security lapse occurred, or when the company first began storing data at the site. “We’re working that now,” Custer said.

Storage of the data on an unsecure server is a violation of both SAIC and Defense Department policy, Custer said. Asked why an unsecure server was used to store the data, she said, “We’re trying to find that out. We’re doing an investigation.”

The Pentagon immediately expressed concern.
“We take this very seriously, and we’re taking all the steps necessary to make sure this doesn’t happen again,” said Defense Department spokeswoman Cynthia Smith, who also confirmed the department’s requirement for secure storage of the data.

But Smith downplayed this particular instance, saying “the risk for compromise is low” and that “there’s been no evidence of compromise.”

SAIC Executive Vice President Arnold Punaro said the nearly two-month delay in announcing the problem was unavoidable.
“We regret that it took a little bit longer than we would have liked,” he said, but added the time was needed to make an “accurate assessment” of the extent of the problem.
“Our task force has been working literally around the clock,” he said. “It was a massive amount of data.”

Experts initially had to accurately assess exactly what data was on the server. Some, Punaro said, was no more than a piece of an individual’s record, such as an isolated medical appointment file. As such, all records had to be matched against government Defense Enrollment Eligibility Reporting System, or DEERS, records, to determine how, with government permission, to contact individuals, he said.

FBI, Secret Service and other top computer experts were brought in to help analyze the problem, Punaro said.

SAIC said it is notifying about 867,000 individual records were involved. That includes 173,939 soldiers; 151,315 airmen; 96,925 sailors; 26,171 Marines; 10,415 Coast Guardsmen; 2,164 members of the U.S. Public Health Service; and 104 members of the National Oceanic and Atmospheric Administration. The remaining 406,000 are family members of those personnel.

The company has taken full responsibility for the lapse.
“We deeply regret this security failure, and I want to extend our apologies to those affected by it,” said chairman and chief executive officer Ken Dahlberg. “We are concerned about the inconvenience and risk of potential compromise of personal information this may cause. The security failure is completely unacceptable and occurred as a result of clear violations of SAIC’s strong internal IT security policies. We let down our customers and the service members whom we support. For this, we are very sorry.”

SAIC said the company is working with the affected agencies to “mitigate any potential inconvenience or harm” the security lapse may have caused. It has retained Kroll Inc. to help out those whose records were exposed affected. Kroll will operate an Incident Response Center with extended hours, information resources and credit and identity restoration services for any victims of related identity theft.

Those potentially affected will be provided the contact information by mail, Punaro said. All assistance will be provided at no cost to the government or affected persons.
The company’s internal investigation is being conducted using outside counsel to determine how the security lapse occurred. It also has placed “a number” of employees on administrative leave pending the investigation’s outcome, it said.

For more information, go to http://www.saic.com/response.