SAIC is on the financial hook for theft of 4.9 million health records

Science Applications International Corp. will have to pay for costs associated with notifying 4.9 million beneficiaries whose personal information was recorded on backup computer tapes stolen in September, the military's health-care program TRICARE confirmed Tuesday.

The tapes contained health information and other data that could be used in identity theft and fraud, including Social Security numbers, addresses and phone numbers. The tapes were stolen from the car of an SAIC employee in San Antonio last month.

Austin Camacho, a TRICARE Management Activity spokesman, said in a statement emailed to Nextgov that SAIC is "contractually bound to mitigate the harmful effects of such disclosure. SAIC has already started these mitigation efforts, including individual notification of those impacted."

Camacho added that SAIC's mitigation operation relieves TRICARE of the cost of handling the notifications.

SAIC spokesman Vernon Guidry had said on Monday the company would operate call centers and mail out theft notifications at no cost to the government.

Larry Ponemon, chairman of Ponemon Institute, a research organization that specializes in privacy and data protection, estimated mail notification could run as high $7 per person, which means SAIC could face a bill of $34.7 million to notify all 4.9 million TRICARE beneficiaries.

The 2009 Health Information Technology for Economic and Clinical Health Act, enacted as part of the 2009 American Recovery and Reinvestment Act, specifies fines as high as $1.5 million for what it calls a breach of health care data.

Camacho said, "The Department of Health and Human Services has the discretion to investigate the conduct of both the TRICARE Management Activity and SAIC and assuming it does so will ultimately make the determination as to whether and against whom it seeks to levy any penalties."