Military Healthcare Data Stolen

An anonymous reader writes "TriWest, a federal contractor providing healthcare to the military, had computer hardware stolen from one of their offices. Social security numbers, credit card numbers, and healthcare information about 500,000 US military personnel and their families is contained on the stolen hardware. The AP picked up the story. The theft is also being covered by the Salt Lake Tribune and the Arizona Republic. This opens the door to speculation about who would be interested in the data held by a military contractor and what they will do with the information."

Who is stupid enough...

[YahoKa]

To steal from somewhere the military has a huge interest. They'll probably spend the cashola on the investigation, and when they are caught someone is going to get it REALLY hard right up the ...

Yeeeeaaaaahhhhh....

[AirmanTux]

I happen to be in the military, though just an Airman First Class, and due to the nature of my assignment I have to deal with contractors pretty often. Because of how the system works it seems like most of the time the military is getting hired by the contractors. More often than not we have to meet thier standards and I have yet to see an off base contractor that would meet DoD 'standards' for security. Furthermore, since all of our individual records are tracked by our social security numbers we don't really have much in the way of private information (there's "Privacy Act of 1974" stickers everywhere but that's pretty much a joke to begin with). I'm not sure why there'd be credit card information there and I've never heard of TriWest (Tricare is our health provider, typo maybe?) and judging on past experience I'd be surprised if the affected military are notified. Heck, I'd be surprised if they know which individuals it was. As for whether it was the hardware or software the theives were after, all I'm going to say is a lot happens right here in the Midwest that the general public is never aware of. There are active terrorist cells on US soil but for one reason or another there's not a lot we can do about them.

Re:Security

[Oob the Rhox]

Because this is health care information, HIPAA [hhs.gov], the health information portability and accountability act applies. Unfortunately, encryption is not required: under technical controls, they state:The following implementation feature must be implemented: Procedure for emergency access. In addition, at least one of the following three implementation features must be implemented: Context-based access, Role-based access, User-based access. The use of Encryption is optional. However, there are also physical access controls required, and clearly those failed.

The real guts of story might be that this will be a poster child for what can go wrong with centralized health care databases. In the long run, this might be a good thing to have happened.

Re:Yeeeeaaaaahhhhh....

[The Tyro]

Tricare is administered by regions. When you enroll in tricare, you are assigned to a region.

Northeast, Mid-atlantic, Gulfsouth, etc.

There is no TRICARE West region... but judging by the number of states mentioned in the article, I'd guess this contractor was dealing with the Central region (15 states), with the possible addition of california (1 state, obviously), or the Northwest region (2 states)

Just FYI.

Re:How?

[JourneymanMereel]

Why does a contractor even need SSN's, etc?

In the military everything is tied to your social security number. It's on all my paperwork from the enlistment contract to the piece of paper where I agreed not to have sex w/my recruiter. They put it on the ID cards. I had to use it whenever it went to sick call. It's spray painted on the outside of my duffle bag. It's even on a chain that I'm wearing around my neck right now (aka, my dog tags).

But even out in normal civilian life, the social security number is extreamly overused. I tried to test drive a car once and the dealer wouldn't let me because I wouldn't give them my SSN.

Re:Who is stupid enough...

[Anonymous Coward]

That investigation is actually still ongoing, as you would know if you tried to research a little. As they usually do, the mainstream media sources quit reporting on it when people started to lose interest. No news does not mean no investigation.

Re:RTFA

[FTL]

> Only the harddrives were taken from the machines

Keep in mind that when geeks like us talk about 'harddrives', that's not the same thing as what the general population refers to as 'harddrives'. Nearly every non-geek I've met thinks that the case is the hard drive.

These thieves may have stolen the computers (leaving the bulky monitors), and the non-geek reporter wrote that they only took the harddrives.

Re:RTFA

[danamania]

This is exactly what happened recently when a computer theft racket was exposed where young kids were sent to steal machines from schools here.

Whoever reported it wrote that kids were paid up to $AUS500 for each "hard drive" stolen from schools - the reality is kids were allegedly paid this much for stealing brand new fileservers and laptops.

a grrl & her server [danamania.com]

Re:National Strategy to secure....

[Anonymous Coward]

I am going to be an AC here, as MY and my family's info could be among that stolen. Many years ago, a military member and his family could get med care on a military installation, only having to use civilian doctors for extreme or special cases.

Fast forward to TRI-CARE (ot Try-to-get-Care)...a system created to "save" Uncle Sam money. We contracted out the health care of families. In many case, our families are FORCED to go to a civilian health provider (not always a bad thing..but when forced, you have no choice, even if there are no doctors locally accepting new patients!). Yet, we now find that the contrator has POOR physical security, yet I am supposed to trust that their computer security is better!!!

Provide Some Context

[Anonymous Coward]

{Posting in AC because I am not sure if I should be sharing the information below.}

Here are some things that might help reduce the FUD level in some of these commments.

- I do not work there.
- This information came from someone that works within the same system, but not the same contractor.

- Security in the building was likely to be that of a standard call center;
-- swipe cards to get in the building
-- receptionist at the desk watching those enter/leaving, maybe even a rent-a-cop there
-- swipe cards to get on the floors (if any)
-- swipe cards to get to the server room (where the theft probably occurred)
-- cleaning staff in at night, but probably not in the server room.
-- cameras in high-traffic areas
-- off-hours alarms, but shifts on saturdays and early evenings (when fewer people might be around)

- Windows Boxes (NT or 2000) for the call center staff
- Unix based database (using a dos-type shell to access), or possibly a windows front end for users.
- The usual under-educated, second income/ low income people working there. (Standard call center people, but those capable of learning the complex rules and procedures for medical insurance.) Not many of them would know what to do with a spare hard drive.
- Degrees among the staff members will be rare, even in management.

- The data involved contains at the very least; SSN, name, rank, address, medical history (sometimes 50 years of it), beneficiaries, local doctors, details of procedures, families names and addresses, copies of letters to and from the insurnace companies, copies of letters to and from the insured or their familes, call logs, internal process actions.

Obviously, it would be pretty easy to walk in behind someone to get to the building, but getting into the server room might be more of a challenge as there are fewer people with access to it. (IT staff only)

Also note, the company Triwest is up for contract renewal very soon. A theft of this type may tank their bid totally, so it is possible that the theft was designed to make them loose the contract for benefit of the other competing companies or by someone that has a gripe against the company.

In my opinion, how dangerous this is depends on if "hard drive" means the whole computer case, or if it means "SCSI 60 meg"; and if they were in a server at the time or not. Loose drives can get swiped for lots of reasons, though probably not related to the data on them. Whole server cases could get swiped for the hardware alone, where the the thief does not know how to get the data or care about what it is.

Though, if someone went to 4 servers out of 16, or took drives from opererating servers (wouldnt they notice right away if someone did that?) it is likely that the data itself was the target and one would expect all sorts of damaging stuff to happen by the release of this data.

Of course, now that there is publicity, the drives might get destroyed if the person just wanted the drives, or if they are a true criminal (not just an amature) they'll know the drives contain this data and the risk of it getting used goes up.

We would have prevented this

[Anonymous Coward]

My wife and I are IT security consultants in the DC area, and we are both jobless and struggling. We continually see agencies like Tricare who can't or won't or don't hire people like us. Why? Because they have to hire minority quota-companies like the SBA 8(a) scam operations. The IT security of most Federal agencies is so bad it's scary. And they won't change.