TriWest Health Care Alliance Corp.
The Department of Defense recently announced the theft of a computer from the TriWest Health Care Alliance Corp. in Phoenix,Arizona (TRICARE is the administrator for most veterans and active duty military medical benefits). The thieves stole the computer on 14 December 2002, and the theft was not discovered until several days later. On 23 December, the DoD requested military service organizations to notify their members of the incident. Most of the members did not receive notification by mail until mid January of 2003.
The computer contained the confidential and personal files of 500,000 members and dependants: 500,000 sets of medical records, social security numbers, names, addresses, spouses, relatives and dependants in 16 western states. The CEO of TriWest Healthcare Alliance, Mr. Dave McIntyre, held a press conference on31 December 2002to announce the theft, make some statements about working with law enforcement, and to offer a $100,000.00 reward for information leading to the arrest and successful prosecution of those responsible. The street rate for personal information sufficient to make ID’s and assume someone’s identity is $100.00 so TRICARE is offering a hundred thousand dollar (two-tenths of one percent) reward for a fifty million dollar asset. While this is undoubtedly more than was spent protecting this private information, somehow it doesn’t seem quite right.
It would have been right to have those computers in a secure room shielded from view, not a ground floor room with a window. It would have been right to secure the computers to the floor or wall in a locking case. It would have been right to encrypt the information on the hard drives, readable only from the native computer on which the hard drive was resident. It would have been right to instruct the hard driver to erase itself when not in its native compute. It would have been right to configure the hard drive to ping a server if on a computer that had Internet access. It would have been right to offer a real reward for leads, and a larger reward for conviction. It would have been right to have an alarm that was monitored.
500,000 people have had stolen all the information necessary to have someone assume their ID’s And to add insult to injury (their facilities did not conform to any level of Privacy Act protections and as a health care provider they certainly do not comply with the privacy provisions of HIPA), due to the Privacy Act provisions, TRICARE cannot provide the name and SSN of those beneficiaries whose information has been compromised.
It is a safe guess that a class action lawsuit will be filed on this one and the damages will be more than $100.00 per person.
If you have sensitive information, secure that information so it cannot be used if a computer is stolen or hacked. Keep in mind that it takes a relatively small investment in access control, physical security, monitoring, data monitoring and response, and planning to protect your company from theft, fire, flood, natural disaster, terrorism, workplace violence, and the host of other corporate ills. If you don’t have the people in-house to help you figure out what needs to be done, we can help you audit your facility and practices.