[HEALTH.MIL] More on SAIC Data Breach, Including Questions and Answers
- From: HEALTH.MIL Mailing List
- To: <HEALTH.MIL@xxxxxxxxxxxxx>, <TFL@xxxxxxxxxxxxx>
- Date: Sat, 19 Nov 2011 10:11:38 -0600
NOTE: You may view\post comments about this and other TRICARE news releases on
the TRICARE Facebook Wall at http://www.facebook.com/TRICARE?sk=wall
SAIC Data Breach
================
Letters are being mailed from Science Applications International Corporation
(SAIC) to affected military clinic and hospital patients regarding a data breach
involving personally identifiable and protected health information (PII/PHI). On
Sept. 14, 2011, SAIC reported the loss of backup tapes containing electronic
health care records used in the military health system (MHS) to capture patient
data from 1992 through Sept. 7, 2011 in San Antonio area military treatment
facilities (MTFs), including filling pharmacy prescriptions and other patients
whose laboratory workups were processed in these same MTFs, even if the patients
were receiving treatment elsewhere. The data may include Social Security
numbers, addresses and phone numbers, and some personal health data such as
clinical notes, laboratory tests and prescriptions. There is no financial data,
such as credit card or bank account information, on the backup tapes.
The risk of harm to patients is judged to be low since retrieving the data on
the tapes would require knowledge of, and access to, specific hardware and
software and knowledge of the system and data structure. As a precaution, the
Assistant Secretary of Defense (Health Affairs) determined that SAIC should
notify potentially impacted persons or households of this incident by letter.
As directed by TRICARE Management Activity (TMA), SAIC will provide credit
monitoring and credit restoration services for one year for patients requesting
them. The credit restoration services being provided exceeds current industry
standards for responding to a data breach.
SAIC's Incident Response Center is available to answer your questions, including
helping you with signing up for credit monitoring, Monday through Friday from
9am to 6pm eastern time. Concerned patients should call the response center to
ask questions and verify authenticity of the letter:
United States, call toll free: (855) 366-0140
International, call collect at (952) 556-8312
For more information:
- View the TRICARE Management Activity News Release at
http://www.tricare.mil/mediacenter/news.aspx?fid=738
- View the Department of Defense News Release at
http://www.defense.gov/releases/release.aspx?releaseid=14905
Questions & Answers
===================
QUESTION: I received a letter from SAIC. Is it a hoax?
ANSWER: No. The Assistant Secretary of Defense for Health Affairs directed SAIC
to notify potentially impacted persons by letter. The letter from SAIC informs
you of the incident and provides you with details about how to sign up for the
free credit monitoring and restoration services for one year. Please double
check the letter you received from SAIC to ensure contact information matches
the toll free phone numbers as these are the ONLY valid phone numbers to verify
authenticity and obtain assistance. Call the SAIC Incident Response Call Center
at: United States, call toll-free: 1-855-366-0140; International, call collect:
1-952-556-8312.
QUESTION: I received a different communication from SAIC, what should I do?
ANSWER: Please double check the letter you received from SAIC to ensure contact
information matches the below toll free phone numbers as these are the ONLY
valid phone numbers to verify authenticity and obtain assistance. Unless you
specifically left your contact information for a call back from SAIC, if you
receive phone calls or are contacted by other means, such as e-mail, you should
protect your personal information and verify authenticity by calling the SAIC
Incident Response Call Center at: United States, call toll-free: 1-855-366-0140;
International, call collect: 1-952-556-8312. Those are the only authorized phone
numbers for this incident.
QUESTION: Who is SAIC and why did they have my information?
ANSWER: SAIC is a government contractor supporting the Military Health System
(MHS). Under the contract, SAIC has the task of transporting backup tapes
between federal facilities. More information about SAIC is available on the
company's web site: www.saic.com. An announcement concerning the data breach is
on the SAIC front page.
QUESTION: Who is the person who signed the letter, Walter P. Havenstein?
ANSWER: Mr. Havenstein is the Chief Executive Officer of SAIC. SAIC is working
closely with the government to mitigate the inconvenience and potential harm the
possible compromise of personal information may cause patients.
QUESTION: How was it determined that SAIC should notify patients?
ANSWER: After careful deliberation, TMA determined that SAIC must take steps to
notify all affected individuals. A standard methodology was used to determine
the level of risk associated with the loss of these tapes. Reading the tapes
takes special machinery and it takes a highly skilled individual to interpret
the data on the tapes. Nevertheless, given the circumstances, TMA determined
that individual notification was required in accordance with DoD guidance.
QUESTION: What is credit monitoring and credit restoration?
ANSWER: Credit monitoring is a service that directly protects your personal
information along with your credit-related assets by warning you of any
suspicious actions indicating any kind of unauthorized activity commonly
associated with identity theft and fraud. In the event that an individual
becomes victim of identity theft or has credit issues, credit restoration allows
for actions to be taken to restore an individual's credit. Actions that may be
taken during credit restoration include working with financial institutions,
creditors or collection agencies on behalf of an individual and disputing
incorrect or fraudulent information while working with law enforcement
personnel.
QUESTION: Why is credit monitoring and credit restoration being offered?
ANSWER: While the risk of harm may be low, the Assistant Secretary of Defense
(Health Affairs) proactively directed SAIC to provide credit monitoring and
credit restoration services for one year for any affected individual requesting
the services.
QUESTION: What are the methods for activating credit monitoring?
ANSWER: There are two ways to sign up for credit monitoring with the credit
reporting agency:
- To receive online credit monitoring through e-mail, please visit
www.idintegrity.com to complete your credit authorization; OR
- To receive your credit monitoring through the U.S. Postal Service mail, please
fill out and return the Consumer Credit Report and Credit Monitoring
Authorization Form attached to your SAIC letter.
QUESTION: Why do I have to provide my Social Security number (SSN) for credit
monitoring activation?
ANSWER: While you may be reluctant to use your SSN, it is the only way to
affirmatively identify you and monitor your credit. Without the SSN, there is a
chance that your name cannot be authenticated and you will not receive the
services.
QUESTION: Why doesn't the government just sign me up?
ANSWER: Neither TMA nor SAIC can sign up for credit monitoring on your behalf.
The credit reporting agency needs your personal information, such as your name,
address and Social Security number, to distinguish you from others with the same
name.
- If you are choosing to sign up for credit monitoring using the online service,
you can bypass the field that asks for your SSN. However, if the credit
reporting agency cannot immediately match your name and address to a credit
file, and you receive a message indicating an authentication error, you will
have to submit your data again or call the number displayed to speak with a
credit specialist.
- If you are filling out the form to order your credit monitoring through the
mail, you are required to add your SSN to the form as there is no safe method
for the credit reporting agency to request it if they can't match your credit
file using your name and address. If you are not comfortable with sending your
information through the mail, you can consider using the online credit service
at www.idintegrity.com.
QUESTION: Why did more than two weeks pass before the initial notification was
posted?
ANSWER: The exact circumstance surrounding this data loss remains the subject
of an ongoing investigation. Further, the degree of risk this data loss
represents had to be determined before starting the notification process
QUESTION: Why did it take so long for letters to go out?
ANSWER: As details surrounding the incident became available, TRICARE
Management Activity took a proactive and responsible course of action based on
many factors including the sensitivity of the information involved, the specific
cause of the breach, and the likelihood that the information is
accessible/useable or could lead to harm for those involved. A thorough analysis
determined the steps being taken to ensure that affected individuals are made
aware of the incident; to make recommendations for necessary precautions; set up
credit monitoring and restoration services and to complete all the tasks needed
to conduct a mailing of this magnitude.
QUESTION: What will happen to SAIC as a result of this incident?
ANSWER: This matter remains a high priority for DoD leadership and the
Department does not take the incident lightly. SAIC was directed to 1) notify
all affected patients and 2) provide credit monitoring and credit restoration
services for one year to affected patients requesting those services. The credit
restoration services being provided exceeds current industry standards for
responding to a data breach. The incident is still under investigation and TMA
is also actively examining data protection security policies and procedures to
prevent similar breaches in the future. TRICARE Management Activity cannot
comment on any other actions related to the circumstances of this incident.
QUESTION: What else should affected patients do to protect themselves?
ANSWER: Patients can monitor their credit and place a free fraud alert on their
credit for a period of 90 days using the Federal Trade Commission (FTC) web
site. The FTC site also provides other valuable information regarding actions
that can be taken now or in the future, should any problems develop. This
information is available at:
http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt04.shtm
------
SOURCE: TRICARE Web Site at http://www.tricare.mil/breach/
== HEALTH.MIL Mailing List ==
1. The following options may be used to join\leave this mailing list:
a. ONLINE OPTION: Online subscription\unsubscription options are
available at:
http://www.hostmtb.org
http://www.hostmtb.org/hmil.html
//www.freelists.org/list/health.mil
b. E-MAIL OPTION: Subscription\unsubscription may be performed by sending
an E-Mail message to the following address:
(1) To subscribe to this mailing list, send an E-Mail message to
HEALTH.MIL-request@xxxxxxxxxxxxx with 'subscribe' as the subject.
(2) To unsubscribe, send an E-Mail message to
HEALTH.MIL-request@xxxxxxxxxxxxx with 'unsubscribe' as the subject.
2. If the above subscribe or unsubscribe procedures don't work or if you have
questions, comments, etc., about this mailing list, please contact
Milton.Bell126@xxxxxxxxx
Other related posts:
- » [HEALTH.MIL] More on SAIC Data Breach, Including Questions and Answers - HEALTH . MIL Mailing List
