SAIC acknowledges risk to military records
- By David Hubler
- Jul 20, 2007
The personal information of more than a half million uniformed service members and their families "was placed at risk for potential compromise" when military health care data was being processed by Science Applications International Corp., the company said today.
SAIC did not indicate when the incident took place, but said it fixed the security lapses as soon as it learned of them and began working with customers to mitigate any negative effects.
SAIC said the Army, Navy, Air Force and Homeland Security Department contracts were in connection with Tricare, the online health benefits program for the uniformed services, retirees and their families.
The company said forensic analysis so far has not uncovered any compromise of the personal information ? which could include combinations of names, addresses, Social Security numbers, birth dates, and limited health information in the form of codes.
"However, the possibility cannot be ruled out. SAIC is notifying about 580,000 households, some with more than one affected person," the company said.
The data was stored on a single, SAIC-owned, non-secure server at a small undisclosed company location, and in some cases was transmitted over the Internet in an unencrypted form.
SAIC announced a series of steps it has taken to prevent a recurrence of the data compromise. The company has:
- Conducted a detailed forensic analysis of the server and data, which included assistance from some of the company's and the government's top experts in computer security;
- Launched an internal investigation using outside counsel to determine exactly how this security failure occurred and placed a number of employees on administrative leave pending the outcome of the investigation;
- Established a company-wide task force to ensure that the company responsibly addresses any adverse impact on the company's customers and any affected individuals; and
- Initiated a systematic, companywide assessment to assure that such lapses do not exist elsewhere in the company and determine whether any changes in policy, methods, tools and monitoring are needed to make sure that such a lapse does not recur.
SAIC also has hired Kroll Inc. to provide services to affected individuals, including an Incident Response Center with extended hours, information resources, and credit and identity restoration services for any victims of related identity theft. These services will be provided at no cost to the government or the affected persons, the company said.
SAIC Chairman and Chief Executive Officer Ken Dahlberg apologized to those affected by the security failure and said, "The security failure is completely unacceptable and occurred as a result of clear violations of SAIC's strong internal [information technology] security policies."
The Veterans Affairs Department in May 2006 was the victim of the largest personal data breach in history when a laptop computer containing the medical records of some 26.5 million veterans and their families was stolen from the home of a VA employee. It was later recovered by the FBI, which said testing indicated that the records had not been compromised. Several top VA officials resigned or were fired as a result.
SAIC of San Diego ranks No. 5
on Washington Technology's 2007 Top 100 list
of the largest federal government prime contractors.
David Hubler is the former print managing editor for GCN and senior editor for Washington Technology. He is freelance writer living in Annandale, Va.