Military Healthcare Contractor’s HIPAA Breach Followed by $4.9 Billion Lawsuit

If you’ve been following the TRICARE HIPAA breach of PHI reported at the end of September, you’ll know that 4.9 million people were affected by the loss of data backup tapes under the Defense Department’s military healthcare program. Now a $4.9 billion lawsuit seeking class action status for those affected individuals hangs over the offenders’ heads, seeking $1,000 for each affected individual.

The affected individuals that filed the lawsuit include a military spouse, her two children and an Air Force veteran. The suit specifically targets Secretary Leon Panetta for violating the Federal Administrative Procedures Act and the Federal Privacy Act of 1974. While the data breach is a clear HIPAA violation, the Privacy Act of 1974 details the code of fair information practices that controls the storage, use, maintenance and dissemination of information by federal agencies, meaning the Department of Defense is also held liable for more than just a HIPAA fine.

At the time the incident was reported, details had not yet been released as an investigation was underway. Now the data breach appears to be attributed to physical theft – the backup tapes with PHI records dating from 1992 to 2011 were stolen out of the back of a car of a SAIC employee (Science Applications International Corp. – TRICARE’s contractor and business associate that provided offsite backup, storage and data security for the military insurance carrier, and also reported the breach).

Physical theft proves to be one of the most reoccurring causes of HIPAA breaches thus far, according to HHS data on HIPAA violations and as represented in an earlier blog post. Another factor that may have contributed is the type of backup the military contractor chose – tape backup. Considered a more traditional disaster recovery method, tape backup is highly error-prone and time-consuming, and, apparently, at risk for physical theft and subsequent HIPAA breaches.

One alternative is cloud disaster recovery, which can improve accuracy and recovery time objectives (RTO), and can be secured with encryption, logging, vulnerability and penetration testing, etc. to ensure your data is safely backed up. Virtualization also eliminates the possibility of physical data theft, as exemplified by the SAIC loss of backup tapes.

Among the 11 orders in the lawsuit, three include concerns around data security practices, systems and procedures:

• Prohibiting defendants from transporting any confidential records by non-secure means and unless the records are properly encrypted. – Transporting tape backup records in the trunk of a car may fall under ‘non-secure means.’
• Requiring defendants to set up proper systems and procedures to maintain the privacy of protected information. – Refers to implementing HIPAA compliant policies and procedures.
• Prohibiting defendants and SAIC from transferring any records until an independent expert panel finds that adequate information security has been established. – Similar to Online Tech’s recent HIPAA audit by an independent CHP (Certified HIPAA Professional) and CHSS (Certified HIPAA Security Specialist) to prove our fully HIPAA compliant hosting and HIPAA compliant data centers can provide proper data security for organizations that need to protect PHI.

Still concerned about HIPAA compliance and cloud security? Watch the webinar New Solutions for Security and Compliance in the Cloud to learn more. Or read our E-Tip, Benefits of Disaster Recovery in Cloud Computing and watch our webinar, HIPAA Compliance in the Cloud & in the Data Center to make an informed decision on your disaster recovery options.

Sources:
USDOJ: OPCL: Privacy Act of 1974
TRICARE Hit with $4.9 Billion Suit Following Breach