Data breach exposed 900,000 soldier, government employee health records

In yet another case of seriously flawed security precautions, the personal health care records of nearly 900,000 troops, family members and other government employees stored on an a private defense contractor’s -- SAIC, Inc. – nonsecure computer server were exposed to compromise.  SAIC said the information included combinations of names, addresses, Social Security numbers, birth dates and/or “limited health information in the form of codes.” It was stored on a single, SAIC-owned, nonsecure server in Shalimar, Fla., and was in some cases transmitted over the Internet in an unencrypted form. The information was exposed while being processed, the company said.According to an Army Times report SAIC said a forensic analysis by top computer security experts “has not yielded any information that any personal information was actually compromised,” but added that “the possibility cannot be ruled out.” Although SAIC announced the data breach Friday, the company acknowledged it has known about the problem since May 29, when U.S. Air Forces Europe notified SAIC that it had “detected an unsecured transmission of this personal information,” said SAIC spokeswoman Connie Custer, the Times said.  The FBI and Secret Service are also looking into the breach.      In an unusual act – at least as compared to many of these breaches in the past – SAIC reacted swiftly, posting it’s response on its Web site:  The company has responded to this situation in a comprehensive way by taking the following actions: ·          conducted a detailed forensic analysis of the server and data, which included assistance from some of the company's and the government's top experts in computer security;  ·          launched an internal investigation using outside counsel to determine exactly how this security failure occurred and placed a number of employees on administrative leave pending the outcome of the investigation;  ·          established a company-wide task force to ensure that the company responsibly addresses any adverse impact on the company's customers and any affected individuals;  ·          Initiated a systematic, company-wide assessment to assure that such lapses do not exist elsewhere in the company and determine whether any changes in policy, methods, tools and monitoring are needed to make sure that such a lapse does not recur. SAIC’s CEO Ken Dahlberg issued a statement that sounded an awful lot like other data breach  apology letters:: “A security failure by an SAIC organization in the handling of customer data placed the personal information of certain uniformed service members, family members and others at risk of potential compromise. SAIC remedied the security lapse upon learning of it and began working with the customers to mitigate the impact of any possible compromise of the data. Forensic analysis has not yielded any evidence that any personal information was actually compromised; however, the possibility cannot be ruled out. SAIC is notifying approximately 580,000 households, some with more than one affected person. We deeply regret this lapse. I offer my personal apology to those service members and their families who may be affected by this, and to the customers who did not receive from SAIC the high level of performance they have learned to expect and deserve. Our focus now is on providing support to those persons who may be affected by this, and to vigorous internal efforts to make sure that such a lapse does not recur.” While the reaction was swift it doesn’t diminish that yet again personal privet information comprised by a supposedly trustworthy company. For many companies, the question is not will they experience a data breach, it's when and how often, according to survey results released this month.  Some 85% of 700 C-level executives, managers and IT security officers revealed they had experienced a data breach event, and about half of those admitted they had no incident response plan in place. Among the most common causes for the breach incidents were lost or stolen equipment such as laptops, PDAs and memory sticks. The second largest contributing factor involved negligent employees, temporary employees or contractors.  The survey, titled "The Business Impact of Data Breach," revealed the "pervasive problem" plaguing IT security officers in midsize to large U.S. businesses in all industries, researchers say. Scott & Scott, a law and technology services firm, commissioned the survey conducted by independent research firm Ponemon Institute. A U.S. Government Accountability Office (GAO) also recently issued a report on the May 2006 data breach at the Department of Veterans Affairs. Veterans were denied the opportunity to take prompt steps to protect themselves against identity theft last year because internal delays kept key VA officials, including the agency’s secretary, in the dark for up to two weeks, the report states. One lesson learned after the breach is that federal agencies must have rapid internal notification of key officials, the GAO said.  “Because of these delays, the department’s decision about how to respond was also delayed,” the GAO said in its report. “Prompt internal notification would help ensure that future data breaches are addressed promptly, maximizing the opportunity for affected individuals to effectively take precautions.”  A VA laptop and computer storage device containing the names, Social Security Numbers and dates of birth of all veterans discharged since 1975 were stolen from a VA employee’s home last year, exposing data from 26.5 million veterans and determining whether to offer credit monitoring and other services that may reduce the risk of identity theft.2.1 million active and reserve service members. (See the apology VA mailed to veterans.)   

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

IT Salary Survey: The results are in