TRICARE data theft was targeted?

When sensitive data of nearly 5 million TRICARE patients was compromised last September due to the theft of backup tapes from an employee’s car, the company quickly jumped to reassure its customers that “the risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.”

But low risk isn’t no risk, and as it turns out, the theft was very likely planned by someone who knew how the information contained in those unencrypted tapes can be successfully extracted.

The records included names, addresses, phone and Social Security numbers, and specific health data of current and former military personnel and their families, but were said not to contain any financial data.

Nevertheless, a number of patients have come forward and have filed a $4.9 billion class action lawsuit against the Department of Defense and TRICARE contractor Science Applications International Corporation, saying that their credit cards have been misused and their bank accounts raided by unknown individuals due to the data breach.

Their claim seems to have merit, as the tapes containing the data were stolen from the employee’s 2003 Honda Civic which was parked in a garage and surrounded by many luxury cars – none of which were broken into.

“The thief or thieves stealthily broke into the employee’s Honda Civic and took the unencrypted backup tapes and records, thereby gaining information worth billions of dollars. The nature of this theft supports the logical inference that the thief or thieves were specifically targeting the confidential information contained on the backup tapes and records,” it is stated in the complaint.

According to Nextgov, a number of other lawsuits have been filed against TRICARE and the government in the meantime, and they will likely be consolidated.