SAIC and Its Military Millions March: Flooding the Parade with Possible PHI Breaches

Fourth Quarter 2011Articles Staying Well Within the Law

The largest single protected health information (PHI) breach reported to date – involving almost 5,000,000 military clinic and hospital patients – highlights the complexities in the decision-making process that covered entities and business associates should employ with respect to notifying the Department of Health and Human Services (HHS), other regulators and potentially affected individuals of a PHI breach. It may also ultimately provide covered entities and their business associates with valuable information and guidance when confronting a large PHI breach as well as test the regulatory boundaries preventing private actions under HIPAA/HITECH.

The 2011 breach, publicly disclosed in a statement on September 29, 2011 (the Public Statement), involved Science Applications International Corporation (SAI-NYSE) (SAIC) and occurred in the context of the company’s role as a business associate and/or subcontractor for TRICARE Management Activity, a component of TRICARE, the military health plan (TRICARE), for active duty service members of the U.S. Department of Defense (DoD). According to a recent filing by SAIC posted on the SEC web site, SAIC describes itself as “a FORTUNE 500® scientific, engineering and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure and health.” SAIC has an estimated 41,000 employees who serve customers in the DoD, the intelligence community, the U.S. Department of Homeland Security, other U.S. government civil agencies and selected commercial markets.

The PHI that was compromised was reported as having been contained on backup tapes used by the military health system. SAIC noted in its Public Statement that the PHI “may include Social Security numbers, addresses and phone numbers, and some personal health data such as clinical notes, laboratory tests and prescriptions” but no financial data, such as credit card or bank account information, was contained on the tapes. SAIC reported the breach despite the fact that the PHI was contained on backup tapes and, as explained in the Public Statement, in SAIC’s view, “The risk of harm to patients is judged to be low despite the data elements involved since retrieving the data on the tapes would require knowledge of and access to specific hardware and software and knowledge of the system and data structure…”

To Report or Not To Report?

SAIC apparently debated over whether to notify the nearly 5,000,000 affected individuals about the breach. It is important to note that the HITECH Breach Notification Interim Final Rule defines a “breach” as “the acquisition, access, use or disclosure of … PHI in a manner not permitted under subpart E of this part which compromises the security or privacy of the protected health information.” It further explains that “compromises the security or privacy of the protected health information” means “poses a significant risk of financial, reputational or other harm to the individual.” Additionally, it defines the term “access” for purposes of the interim final rule as “the ability or the means necessary to read, write, modify or communicate data/information or otherwise use any system resource.”

These definitions raise an important issue: At what point does “access” matter? When is the mere “ability” to read PHI, without evidence the PHI was actually read or was likely to have been read, enough to trigger the notice requirement under the Breach Notification Rule? Will covered entities provide notice out of an abundance of caution to report every unlocked or unencrypted data file, possibly flooding the HHS web site that lists large PHI breaches with potential breaches that have minimal or no likelihood of access and unduly alarming notified individuals? Could such reporting have the unintended effect of diluting the impact of reports involving actual theft and snooping?

In this regard, an event reported on the Nemours Web site on October 7, 2011 (the Nemours Report), about a PHI security breach involving approximately 1.9 million individuals at a Nemours health care facility in Wilmington, DE, is relevant. The Nemours Report stated that three unencrypted computer backup tapes containing patient billing and employee payroll were missing. The tapes reportedly were stored in a locked cabinet following a computer systems conversion completed in 2004. The tapes and locked cabinet were reported missing on September 8, 2011, and were believed to have been removed on or about August 10, 2011, during a facility remodeling project. The Nemours Report stated, “There is no indication that the tapes were stolen or that any of the information on them has been accessed or misused. Independent security experts retained by Nemours determined that highly specialized equipment and specific technical knowledge would be necessary to access the information stored on these backup tapes. There are no medical records on the tapes.”

The Nemours Report reveals that, in spite of the low likelihood of access, it not only disclosed the breach but was offering free credit monitoring, identity theft protection and call center support to affected individuals.

If the analysis as to whether access “poses a significant risk of … harm” takes into account the likelihood that PHI was actually accessed, rather than simply whether a theoretical “ability or means” to read, write, modify or communicate PHI existed at some point in time, perhaps the “possible breach” floodgates will not burst open unnecessarily.

SAIC ultimately decided to notify all potentially affected individuals of the breach. The Public Statement noted, “After careful deliberation, we have decided that we will notify all affected beneficiaries. We did not come to this decision lightly. We used a standard matrix to determine the level of risk that is associated with the loss of these tapes. Reading the tapes takes special machinery. Moreover, it takes a highly skilled individual to interpret the data on the tapes. Since we do not believe the tapes were taken with malicious intent, we believe the risk to beneficiaries is low. Nevertheless, the tapes are missing and given the totality of the circumstances, we determined that individual notification was required in accordance with DoD guidance. . . ” [Emphasis added.]

The linchpin of SAIC’s final decision to notify appeared to be the DoD guidance. In SAIC’s position as an $11 billion contractor heavily dependent on DoD and other U.S. government agencies, the company may not have had many practical alternatives but to notify beneficiaries. SAIC’s “careful deliberation” resulted in the conclusion that the risk of breach was “low.” Had the DoD guidance not been a factor and had SAIC concluded the case was one where an unlocked file or unencrypted data was discovered to exist — but it appeared that no one had opened such file or viewed such data — would SAIC’s conclusion have been the same and would it, like Nemours, have decided to report it?

Rapid About-Face on Credit Monitoring

SAIC and TRICARE, according to the Public Statement, are cooperating in the notification process but initially told all potentially affected individuals that no credit monitoring or restoration services would be provided in light of the “low risk of harm.” This was in contrast to the decision of Nemours in the Nemours Report to provide such services. The Public Statement noted that, “To date, we have no conclusive evidence that indicates beneficiaries are at risk of identity theft, but all are encouraged to monitor their credit and place a free fraud alert of their credit for a period of 90 days using the Federal Trade Commission (FTC) web site.”

However, less than six weeks later,TRICARE directed SAIC to provide one year of credit monitoring and restoration services to patients “who express concern about their credit” as a result of the PHI breach. A press release issued by the DoD on November 4, 2011, noted, “These additional proactive security measures exceed the industry standard to protect against the risk of identity theft. We take very seriously our responsibility to offer patients peace of mind that their credit and quality of life will be unaffected by this breach.”

It is unclear whether the new security measure actually exceeds the “industry standard,” as, in numerous reported PHI breaches, including Nemours, up to two years of credit monitoring was offered to affected individuals. However, given the original assurances in the Public Statement that the risk of harm was low and there was no conclusive evidence that patients were at risk of identity theft, one can speculate as to whether TRICARE’s abrupt about-face relates to new evidence, a revised judgment as to the risk of harm to affected patients and/or simply an abundance of caution as to its own exposure to risk.

Then again, TRICARE’s new position could have less to do with new concerns related to patient identity theft risk and more to do with a “proactive response” or even a preemptive strike by TRICARE and the DoD to combat some of the allegations in the putative class action lawsuit filed against them in the U.S. District Court for the District of Columbia on October 11, 2011 (Gaffney v. TRICARE Management Activity, et. al., Case No. 1:2011cv01800), where plaintiffs allege they have “incurred an economic loss as a result of having to purchase a credit monitoring service to alert [them] to potential misappropriation of their identity.”

By offering the credit monitoring services to all of the 4.9 million affected individuals, TRICARE and the DoD may be endeavoring to render moot or at least mitigate the risk from those allegations in the class action complaint, which seeks judgment against TRICARE and the DoD for damages in an amount of $1,000 for each affected individual. Some quick math indicates that the cost of credit monitoring and restoration for a subset (those “expressing concern”) of the roughly 4.9 million affected patients would be far less than the almost $5 billion aggregate damages award sought in the putative class action complaint. TRICARE may have reversed its stance as a result of this “risk of harm” analysis and not because of new information or a revised evaluation related to a heightened risk of harm to affected individuals.

There is also another putative class action that has been filed separately against SAIC (but not TRICARE and the DoD) in respect to the breach.

History of Breaches?

A closer review of SAIC and its incidents involving PHI reveals that the 2011 breach was not the first for the company. It does, however, appear to be the first since the adoption of the HITECH Breach Notification Interim Final Rule in August 2009.

On July 21, 2007, The Washington Post reported that SAIC had acknowledged the previous day that “some of its employees sent unencrypted data — such as medical appointments, treatments and diagnoses — across the Internet” that related to 867,000 U.S. service members and their families. The Post article stated that, “So far, there is no evidence that personal data has been compromised, but ‘the possibility cannot be ruled out,’ SAIC said in a press release. The firm has fixed the security breach, the release said.” Embedded later in the Post article is this: “The [2007] disclosure comes less than two years after a break-in at SAIC’s headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.” It is unclear whether the earlier 2005 breach reported in the Post involved PHI or other personal information.

On January 20, 2009, SPAMfighter reported SAIC had informed the Attorney General of New Hampshire of a data breach that had occurred involving malware. The SPAMfighter report notes SAIC wrote a letter to many affected users to inform them about the potential compromise of personal information. (A portion of such personal information would have been deemed PHI had it been part of health-related material.) The SPAMfighter report also discloses that, “The current [2009] breach at SAIC is not the only one. There was one other last year (2008), when keylogging software managed to bypass SAIC’s malware detection system. That breach had exposed mainly business account information.”

Final Thoughts

The SEC issued a release on October 13, 2011, containing guidelines for public companies regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In the context of SAIC, an $11 billion company, while the actual costs of notification and remediation of the 2011 Breach may run into millions of dollars, the 2011 Breach may not be deemed a “material” reportable event for SEC purposes by its management.

It is likely that much more will be heard in the future about the mammoth 2011 SAIC breach and its aftermath that may give covered entities and their business associates valuable information and guidance to consider in identifying and confronting a future large PHI security breach. The regulatory barriers preventing private actions under HIPAA/HITECH may be tested by the putative class action lawsuits. It will also be interesting to see whether the cooperation of SAIC with TRICARE and the DoD may wither in the face of the pressures of the lawsuits.
For more information about this topic, please contact Elizabeth G. Litten at 609.895.3320 or [email protected] Michael J. Kline at 609.895.6635 or [email protected].

This article previously appeared as a series of postings on the firm’s HIPAA, HITECH and Health Information Technology blog ( ).

Download entire newsletter (pdf)