TRICARE directs SAIC to offer credit monitoring for data theft patients

The TRICARE Management Activity on Friday directed Science Applications International Corp. to provide credit monitoring services for up to 4.9 million beneficiaries whose health information was stored on backup computer tapes stolen from an SAIC employee's car in San Antonio.

The move reversed a stance TRICARE has maintained for more than six weeks. In its original announcement of the mid-September theft, TRICARE downplayed the potential vulnerability resulting from what it called a data breach. "The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure."

In September, TRICARE did not offer credit monitoring, instead urging beneficiaries "to take steps to protect their personal information" on their own. On Oct. 10, the Defense Department was hit with a class action lawsuit seeking $4.9 billion in damages and free credit monitoring services. That was followed by a suit against SAIC, filed on Oct. 26, that also seeks $4.9 billion in damages and free credit monitoring services.

TRICARE in a statement last Friday maintained its position that the risk to any individual's personal data is minimal. "There is no evidence that any of the data has actually been accessed by a third party, and analysis shows the chance any data was actually compromised is low," the military health care program said.

Army Brig. Gen. W. Bryan Gamble, deputy director of the TRICARE Management Activity said, "We take this incident very seriously," and as a result directed SAIC provide one year of credit monitoring to patients who want it. SAIC will also analyze all available data to help TMA determine if identity theft occurs due to the data breach, Gamble said.

This could hit SAIC with a hefty bill if all 4.9 million beneficiaries whose data was on the stolen tapes ask for credit monitoring. When the Veterans Affairs Department experiences a loss, theft or exposure of this kind, it routinely offers credit monitoring services and up to $1 million annually in identity theft protection at a cost per veteran of $29.95 a year. If SAIC provided such monitoring and protection at the same rate, it would cost $146.8 million to cover 4.9 million people.

Filings in the class action lawsuit against Defense over the TRICARE data theft show that the Justice Department initially has tapped a high-profile attorney, Paul Freeborne, who handled the government's losing defense in a lawsuit against the military's "don't ask,. don't tell" policy brought by the Log Cabin Republicans, a gay Republican group.

Richard Coffman, the Beaumont, Texas, lawyer who filed the class action suit against SAIC, said he does not expect a reply from the company until the end of November.