recommended reading

Stolen TRICARE health records did not meet federal encryption standards

Computer tapes containing health care information on 4.9 million TRICARE beneficiaries stolen from the car of a Science Applications International Corp. employee in San Antonio, Texas, earlier this month were not encrypted in compliance with federal standards, SAIC said.

The Texas TRICARE data theft is the largest health data breach since February 2010, when the Health and Human Services Department began requiring health care organizations to post on a website breaches of health information affecting more than 500 people.

Vernon Guidry, an SAIC spokesman, said in a statement that "some personal information was encrypted prior to being backed up on the tapes." But, he added, "the operating system used by the government facility to perform the backup onto the tape was not capable of encrypting data in a manner that was compliant with the relevant federal standard."

That facility, which Guidry did not identify, "was seeking a compliant encryption solution that would work with the operating system when the backup tapes were taken."

The Health Information Technology for Economic and Clinical Health Act, part of the 2009 American Recovery and Reinvestment Act, requires health care organizations to ensure that patient information in health records is unusable, unreadable, or indecipherable to unauthorized individuals. In August 2009, HHS published an interim rule requiring either encryption or destruction to ensure the security of health records.

That rule cites guidelines developed by the National Institute of Standards and Technology that say federal agencies should encrypt data using the Advanced Encryption Standard, developed by NIST and adopted as a federal standard in 2002.

TRICARE did not respond to queries from Nextgov about the data theft. It is unclear what kind of encryption was used in San Antonio and why it did not adhere to federal standards.

HITECH also requires health care organizations to conduct risk assessments of the security of patient data, and Sean Glynn, marketing vice president for Credant Technologies, a data security firm in Addison, Texas, said such assessments should focus on physical as well as cybersecurity.

Referring to the San Antonio data theft, Glynn said he was surprised that a computer tape containing millions of health records was left in an SAIC employee's vehicle for an entire work day. Glynn said he would suggest using an armored car to transport such a large amount of sensitive data.

Credant provides technology to ensure that backups of health care information cannot be performed without automatic encryption, ensuring enforcement of encryption policies.

Roughly 60 percent of the data breaches posted on the HHS website since 2010 involve the theft or loss of laptops or magnetic media such as thumb drives. Glynn said this indicates that the security of health information is a human issue that requires training and strict enforcement of security policies.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.