From: NextGov

By Bob Brewin 

An Air Force veteran of the first Iraq war and a military spouse and her two children have hit the Defense Department with a class action lawsuit seeking $4.9 billion in damages from the theft of a computer tape containing personal and sensitive health information from the car of an employee of Science Applications International Corp., a contractor with the TRICARE Health Management Activity. The company was not named as a defendant in the action.

The suit, filed Monday by the law firm Shulman, Rogers, Gandal, Pordy & Ecker of Potomac, Md., seeks $1,000 in damages for all 4.9 million TRICARE beneficiaries whose records were on the computer tape stolen Sept. 13 from the SAIC employee’s car in San Antonio. TRICARE and Defense Secretary Leon Panetta are named as defendants.

Plaintiffs in the case are Virginia Gaffney of Hampton, Va., a TRICARE beneficiary described as the spouse of a decorated war veteran, along with her two dependent children, and Adrienne Taylor of Glendale, Ariz., an Air Force Operation Desert Storm veteran who also is a military spouse and TRICARE beneficiary.

The suit, filed in the U.S. District Court for the District of Columbia, charges that TRICARE “flagrantly disregarded” the privacy rights of TRICARE beneficiaries by failing to take the necessary precautions to protect their identity. The complaint said data on the stolen computer tape was “unprotected, easily copied . . . [and TRICARE] inexplicably failed to encrypt the information.”

TRICARE “compounded its dereliction of duty by authorizing an untrained or improperly trained individual to take the highly confidential information off of government premises and to leave unencrypted information in an unguarded car in a public location, from which it was stolen by an unknown party or parties,” the suit alleged.

The “intentional, willful and reckless disregard of plaintiffs’ privacy rights caused one of the largest unauthorized disclosures of Social Security numbers, medical records and other private information in recent history,” the complaint charged.

TRICARE has acknowledged that the stolen computer tape contained a wealth of patient information including clinical notes, laboratory tests, prescriptions, diagnoses, treatment information, and provider names and locations.

But, when it announced the theft — which it called a “data breach” — on Sept. 30, TRICARE downplayed the ability of anyone to access the information on the tape. “The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure,” the military health program said.

The class action lawsuit disputed this assertion, alleging that “personal information on the computer tape could be retrieved by the name of an individual or by an identifying number, symbol or other identifying data assigned to an individual.”

The theft of the computer tape, the complaint charged, has exposed the medical and personal information of all four plaintiffs to the possibility of identity fraud and resulted in “emotional upset” due to the invasion of privacy.

TRICARE declined to provide credit monitoring services in the wake of the tape theft, and, as a result, the complaint said, both Gaffney and Taylor purchased such services on their own to protect against identity theft, incurring an ongoing economic cost.

The lawsuit asked the court to direct TRICARE to provide free credit monitoring services to all 4.9 million beneficiaries whose personal information was on the stolen tape and to reimburse those who had already purchased such services on their own.

This could slam TRICARE with another hefty bill. When the Veterans Affairs Department discovers a loss, theft or exposure of this kind it routinely offers credit monitoring services and up to $1 million annually in identity theft protection at a cost per veteran of $29.95 a year. At that rate, it would cost TRICARE $146.8 million to provide credit monitoring services to 4.9 million people.

Shulman, Rogers also wants to use the lawsuit to reform what it considers poor practices by Defense and TRICARE to maintain the privacy of personal information. Defense and TRICARE, the suit said, “have repeatedly demonstrated an inability or unwillingness to implement or [have a] callous disregard for fundamental procedures to provide minimally acceptable safeguards to prevent against the disclosure of personal and private information in their possession.”

The suit asks the court to bar TRICARE and Defense from transferring a record or system of records covered by the Privacy Act “until an independent panel of experts finds that adequate information security has been established.”

The court also should prohibit Defense and TRICARE from transporting any records off government property unless they are fully encrypted, and SAIC should not be allowed to transport any records until an independent expert panel determines the company has established adequate information procedures, the lawsuit said.

TRICARE and SAIC declined to comment on the lawsuit.