NOTE: You may view\post comments about this and other TRICARE news releases on the TRICARE Facebook Wall at http://www.facebook.com/TRICARE?sk=wall SAIC Data Breach ================ Letters are being mailed from Science Applications International Corporation (SAIC) to affected military clinic and hospital patients regarding a data breach involving personally identifiable and protected health information (PII/PHI). On Sept. 14, 2011, SAIC reported the loss of backup tapes containing electronic health care records used in the military health system (MHS) to capture patient data from 1992 through Sept. 7, 2011 in San Antonio area military treatment facilities (MTFs), including filling pharmacy prescriptions and other patients whose laboratory workups were processed in these same MTFs, even if the patients were receiving treatment elsewhere. The data may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions. There is no financial data, such as credit card or bank account information, on the backup tapes. The risk of harm to patients is judged to be low since retrieving the data on the tapes would require knowledge of, and access to, specific hardware and software and knowledge of the system and data structure. As a precaution, the Assistant Secretary of Defense (Health Affairs) determined that SAIC should notify potentially impacted persons or households of this incident by letter. As directed by TRICARE Management Activity (TMA), SAIC will provide credit monitoring and credit restoration services for one year for patients requesting them. The credit restoration services being provided exceeds current industry standards for responding to a data breach. SAIC's Incident Response Center is available to answer your questions, including helping you with signing up for credit monitoring, Monday through Friday from 9am to 6pm eastern time. Concerned patients should call the response center to ask questions and verify authenticity of the letter: United States, call toll free: (855) 366-0140 International, call collect at (952) 556-8312 For more information: - View the TRICARE Management Activity News Release at http://www.tricare.mil/mediacenter/news.aspx?fid=738 - View the Department of Defense News Release at http://www.defense.gov/releases/release.aspx?releaseid=14905 Questions & Answers =================== QUESTION: I received a letter from SAIC. Is it a hoax? ANSWER: No. The Assistant Secretary of Defense for Health Affairs directed SAIC to notify potentially impacted persons by letter. The letter from SAIC informs you of the incident and provides you with details about how to sign up for the free credit monitoring and restoration services for one year. Please double check the letter you received from SAIC to ensure contact information matches the toll free phone numbers as these are the ONLY valid phone numbers to verify authenticity and obtain assistance. Call the SAIC Incident Response Call Center at: United States, call toll-free: 1-855-366-0140; International, call collect: 1-952-556-8312. QUESTION: I received a different communication from SAIC, what should I do? ANSWER: Please double check the letter you received from SAIC to ensure contact information matches the below toll free phone numbers as these are the ONLY valid phone numbers to verify authenticity and obtain assistance. Unless you specifically left your contact information for a call back from SAIC, if you receive phone calls or are contacted by other means, such as e-mail, you should protect your personal information and verify authenticity by calling the SAIC Incident Response Call Center at: United States, call toll-free: 1-855-366-0140; International, call collect: 1-952-556-8312. Those are the only authorized phone numbers for this incident. QUESTION: Who is SAIC and why did they have my information? ANSWER: SAIC is a government contractor supporting the Military Health System (MHS). Under the contract, SAIC has the task of transporting backup tapes between federal facilities. More information about SAIC is available on the company's web site: www.saic.com. An announcement concerning the data breach is on the SAIC front page. QUESTION: Who is the person who signed the letter, Walter P. Havenstein? ANSWER: Mr. Havenstein is the Chief Executive Officer of SAIC. SAIC is working closely with the government to mitigate the inconvenience and potential harm the possible compromise of personal information may cause patients. QUESTION: How was it determined that SAIC should notify patients? ANSWER: After careful deliberation, TMA determined that SAIC must take steps to notify all affected individuals. A standard methodology was used to determine the level of risk associated with the loss of these tapes. Reading the tapes takes special machinery and it takes a highly skilled individual to interpret the data on the tapes. Nevertheless, given the circumstances, TMA determined that individual notification was required in accordance with DoD guidance. QUESTION: What is credit monitoring and credit restoration? ANSWER: Credit monitoring is a service that directly protects your personal information along with your credit-related assets by warning you of any suspicious actions indicating any kind of unauthorized activity commonly associated with identity theft and fraud. In the event that an individual becomes victim of identity theft or has credit issues, credit restoration allows for actions to be taken to restore an individual's credit. Actions that may be taken during credit restoration include working with financial institutions, creditors or collection agencies on behalf of an individual and disputing incorrect or fraudulent information while working with law enforcement personnel. QUESTION: Why is credit monitoring and credit restoration being offered? ANSWER: While the risk of harm may be low, the Assistant Secretary of Defense (Health Affairs) proactively directed SAIC to provide credit monitoring and credit restoration services for one year for any affected individual requesting the services. QUESTION: What are the methods for activating credit monitoring? ANSWER: There are two ways to sign up for credit monitoring with the credit reporting agency: - To receive online credit monitoring through e-mail, please visit www.idintegrity.com to complete your credit authorization; OR - To receive your credit monitoring through the U.S. Postal Service mail, please fill out and return the Consumer Credit Report and Credit Monitoring Authorization Form attached to your SAIC letter. QUESTION: Why do I have to provide my Social Security number (SSN) for credit monitoring activation? ANSWER: While you may be reluctant to use your SSN, it is the only way to affirmatively identify you and monitor your credit. Without the SSN, there is a chance that your name cannot be authenticated and you will not receive the services. QUESTION: Why doesn't the government just sign me up? ANSWER: Neither TMA nor SAIC can sign up for credit monitoring on your behalf. The credit reporting agency needs your personal information, such as your name, address and Social Security number, to distinguish you from others with the same name. - If you are choosing to sign up for credit monitoring using the online service, you can bypass the field that asks for your SSN. However, if the credit reporting agency cannot immediately match your name and address to a credit file, and you receive a message indicating an authentication error, you will have to submit your data again or call the number displayed to speak with a credit specialist. - If you are filling out the form to order your credit monitoring through the mail, you are required to add your SSN to the form as there is no safe method for the credit reporting agency to request it if they can't match your credit file using your name and address. If you are not comfortable with sending your information through the mail, you can consider using the online credit service at www.idintegrity.com. QUESTION: Why did more than two weeks pass before the initial notification was posted? ANSWER: The exact circumstance surrounding this data loss remains the subject of an ongoing investigation. Further, the degree of risk this data loss represents had to be determined before starting the notification process QUESTION: Why did it take so long for letters to go out? ANSWER: As details surrounding the incident became available, TRICARE Management Activity took a proactive and responsible course of action based on many factors including the sensitivity of the information involved, the specific cause of the breach, and the likelihood that the information is accessible/useable or could lead to harm for those involved. A thorough analysis determined the steps being taken to ensure that affected individuals are made aware of the incident; to make recommendations for necessary precautions; set up credit monitoring and restoration services and to complete all the tasks needed to conduct a mailing of this magnitude. QUESTION: What will happen to SAIC as a result of this incident? ANSWER: This matter remains a high priority for DoD leadership and the Department does not take the incident lightly. SAIC was directed to 1) notify all affected patients and 2) provide credit monitoring and credit restoration services for one year to affected patients requesting those services. The credit restoration services being provided exceeds current industry standards for responding to a data breach. The incident is still under investigation and TMA is also actively examining data protection security policies and procedures to prevent similar breaches in the future. TRICARE Management Activity cannot comment on any other actions related to the circumstances of this incident. QUESTION: What else should affected patients do to protect themselves? ANSWER: Patients can monitor their credit and place a free fraud alert on their credit for a period of 90 days using the Federal Trade Commission (FTC) web site. The FTC site also provides other valuable information regarding actions that can be taken now or in the future, should any problems develop. This information is available at: http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm ------ SOURCE: TRICARE Web Site at http://www.tricare.mil/breach/ == HEALTH.MIL Mailing List == 1. The following options may be used to join\leave this mailing list: a. ONLINE OPTION: Online subscription\unsubscription options are available at: http://www.hostmtb.org http://www.hostmtb.org/hmil.html //www.freelists.org/list/health.mil b. E-MAIL OPTION: Subscription\unsubscription may be performed by sending an E-Mail message to the following address: (1) To subscribe to this mailing list, send an E-Mail message to HEALTH.MIL-request@xxxxxxxxxxxxx with 'subscribe' as the subject. (2) To unsubscribe, send an E-Mail message to HEALTH.MIL-request@xxxxxxxxxxxxx with 'unsubscribe' as the subject. 2. If the above subscribe or unsubscribe procedures don't work or if you have questions, comments, etc., about this mailing list, please contact Milton.Bell126@xxxxxxxxx