A limited amount of TRICARE beneficiary data has been placed at risk through unauthorized access to claims information. Proactive measures are being taken to ensure that affected TRICARE beneficiaries are informed. Analysis thus far has not produced indications of the beneficiary data being misused.
Patient data was found to be accessible in a manner that did not meet stringent security specifications for the Department of Defense or TRICARE’s information technology services provider Electronic Data Systems (EDS). The data included personal information such as the full or partial Social Security number of the primary beneficiary, and for a dependent, name, birth date and limited health information. The data was held on a Web application server that allowed external entities an unauthorized level of access without going through the required authentication process if the Web address was known. That situation has since been remedied.
EDS has sent out approximately 4,700 notification letters informing affected beneficiaries of the risk. The envelopes contain a cover letter from Army Maj. Gen. Elder Granger, deputy director, TRICARE Management Activity. They also contain an informational letter about the incident from EDS, including identity protection information.
EDS has established a specific “help line” to handle questions and concerns. The beneficiary notification letters contain a toll-free number—(800) 556–3195—that can be used in the U.S. and from overseas. Those located outside the United States must dial the country’s AT&T USADirect access number first.
EDS is offering beneficiaries put at risk a free, one-year subscription to a credit monitoring and protection service. Through this service, beneficiaries will have access to specialists with a leading identity theft and mitigation firm. These specialists will be able to respond to concerns about any actual identity theft as well as provide more detailed information on credit, fraud and identity theft matters. Additionally, those affected will receive up to $20,000 identity theft protection coverage with no deductible as it relates to this matter.
Additional information about the incident can be found at the TRICARE Web site press room at www.tricare.mil. Information on steps TRICARE beneficiaries can take to protect themselves from identity theft is available at www.tricare.mil/tmaprivacy/itpr.cfm.