The tapes were taken on Sept. 14 when they were among items stolen from an employee's car in San Antonio, SAIC spokesman Vernon Guidry told Reuters. The patients and families whose medical data was stolen used the US military's TRICARE health provider, and SAIC has a contract to manage TRICARE's data.
According to a TRICARE statement, the data included social security numbers, names, addresses, phone numbers, diagnoses, treatment information, provider names, provider locations and other patient data on 4.9 million active and retired military patients and families who received treatment at military hospitals and military treatment facilities in San Antonio from 1992 up until Sept. 7, 2011.
“The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure”, the statement said.
TRICARE explained that it took two weeks to notify patients because it was investigating the circumstances surrounding the data loss and wanted to determine the degree of risk the data breach represented before posting the notification.
TRICARE said that both it and SAIC are reviewing their data protection security policies and procedures to prevent future data breaches.