A group of people affected by the TRICARE data breach in September has filed a class-action lawsuit against the Department of Defense, alleging that the department and its health care organization didn’t properly safeguard personal information that was stored on backup tapes stolen last month.
The suit, filed on behalf of nearly five million military members and their families, is seeking $1,000 in damages for each of the affected individuals. The personal data stored on the tapes included names, Social Security numbers, addresses and some health-related information. No financial information was on the tapes, according to reports. The tapes were stolen from a car in Texas in September.
The suit alleges that TRICARE, the military’s health care system, didn’t encrypt the data on the tapes and didn’t take proper precautions in their handling. The data on the tapes reportedly includes information on patients who were seen at facilities in San Antonio between 1992 and September of this year. At the time of the breach notification, TRICARE and its contractor SAIC said that they did not think there was much risk of the data being used for fraud or identity theft.
“On September 14, 2011, Science Applications International Corporation (SAIC) reported a data breach involving personally identifiable and protected health information (PII/PHI) impacting an estimated 4.9 million military clinic and hospital patients. The information was contained on backup tapes from an electronic health care record used in the military health system (MHS) to capture patient data from 1992 through September 7, 2011, and may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions,” the statement said.
“The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure.”
The laswsuit against the Department of Defense is seeking total damages of $4.9 billion, based on the 4.9 million people potentially affected by the breach and the $1,000 in damages per person requested.
Lawsuits against companies that have suffered a data breach have been popping up more and more of late as consumers have grown weary of having their data exposed by private companies and government organizations.