TRICARE Management Activity (formerly Civilian Health and Medical Program of the Uniformed Services, CHAMPUS), Science Applications International Corporation (SAIC)

The car theft of backup tapes resulted in the exposure of protected health information from patients of military hospitals and clinics.  Uniformed Service members, retirees and their families were affected.  Patient data from the military health system that dates from 1992 to September 7, 2011 could have been exposed.  The personally identifiable and protected health information of those who received care in the San Antonio area military treatment facilities and others whose laboratory workups were processed in these facilities was exposed.  It includes Social Security numbers, addresses, phone numbers, clinical notes, laboratory tests, prescriptions, and other medical information.  The information was stolen from the car of an SAIC employee, along with a stereo system and a GPS device on September 13.UPDATE (10/16/2011): Four people have filed a $4.9 billion lawsuit over the improper disclosure of active and retired military personnel and family data.  The lawsuit would give $1000 to each of the 4.9 million affected individuals.UPDATE (11/4/2011): SAIC reported that 5,117,799 people were affected by the breach.UPDATE (01/06/2012): A second class action lawsuit filed in the Superior Court of California in San Diego seeks unspecified monetary damages related to the theft of the computer tapes targets SAIC.  The suit was filed in December and seeks certification as a class action for all TRICARE beneficiaries in California whose personal identity and health care information were compromised by the September 2011 theft of the tapes.UPDATE (03/14/2012): Some of the people affected by the breach have become victims of identity theft.  The class action lawsuit against the Department of Defense and SAIC was amended to reflect the new information about fraudulent charges appearing on credit cards.UPDATE (04/08/2012): SAIC's insurance will most likely be enough to cover any judgments or settlements that result from the data breach.  SAIC also revealed that the Office for Civil Rights in the Health and Human Services Department opened an investigation into the tape theft on November 17, 2011.UPDATE (07/10/2012): Eight class action lawsuits have been consolidated into one case alleging that personal information was mishandled.  The case will be handled by the U.S. District Court in Washington, D.C.UPDATE (5.13.2014): On Friday, "a federal district judge dismissed the majority of a consolidated class-action lawsuit filed against the Department of Defense, its TRICARE health insurance program and a contractor following a 2011 data breach that affected over 4.7 million individuals.In his ruling, U.S. District Judge James Boasberg wrote that the case raises "thorny standing issues regarding ... when is a consumer actually harmed by a data breach -- the moment data [are] lost or stolen or only after the data [have] been accessed or used by a third party?He noted that most courts "have agreed that the mere loss of data -- without evidence that [the information] has been either viewed or misused -- does not constitute an injury sufficient to confer standing," adding, "This court agrees" (Kolbasuk McGee, GovInfoSecurity, 5/13)".