recommended reading

Stolen TRICARE health records did not meet federal encryption standards

Computer tapes containing health care information on 4.9 million TRICARE beneficiaries stolen from the car of a Science Applications International Corp. employee in San Antonio, Texas, earlier this month were not encrypted in compliance with federal standards, SAIC said.

The Texas TRICARE data theft is the largest health data breach since February 2010, when the Health and Human Services Department began requiring health care organizations to post on a website breaches of health information affecting more than 500 people.

Vernon Guidry, an SAIC spokesman, said in a statement that "some personal information was encrypted prior to being backed up on the tapes." But, he added, "the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with the relevant federal standard."

That facility, which Guidry did not identify, "was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."

The Health Information Technology for Economic and Clinical Health Act, part of the 2009 American Recovery and Reinvestment Act, requires health care organizations to ensure that patient information in health records is unusable, unreadable, or indecipherable to unauthorized individuals. In August 2009, HHS published an interim rule requiring either encryption or destruction to ensure the security of health records.

That rule cites guidelines developed by the National Institute of Standards and Technology that say federal agencies should encrypt data using the Advanced Encryption Standard, developed by NIST and adopted as a federal standard in 2002.

TRICARE did not respond to queries from Nextgov about the data theft. It is unclear what kind of encryption was used in San Antonio and why it did not adhere to federal standards.

HITECH also requires health care organizations to conduct risk assessments of the security of patient data, and Sean Glynn, marketing vice president for Credant Technologies, a data security firm in Addison, Texas, said such assessments should focus on physical as well as cybersecurity.

Referring to the San Antonio data theft, Glynn said he was surprised that a computer tape containing millions of health records was left in an SAIC employee's vehicle for an entire work day. Glynn said he would suggest using an armored car to transport such a large amount of sensitive data.

Credant provides technology to ensure that backups of health care information cannot be performed without automatic encryption, ensuring enforcement of encryption policies.

Roughly 60 percent of the data breaches posted on the HHS website since 2010 involve the theft or loss of laptops or magnetic media such as thumb drives. Glynn said this indicates that the security of health information is a human issue that requires training and strict enforcement of security policies.

Threatwatch Alert

Stolen laptop

Wireless Heart Monitor Maker to Pay $2.5M Settlement to HHS After Laptop Stolen

See threatwatch report


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.