By Michael Kline and Elizabeth Litten
[Capitalized terms not otherwise defined in this Part 3 shall have the meanings assigned to them in Parts 1 and 2.]
The Public Statement reports that SAIC and Tricare are cooperating in the notification process but that no credit monitoring or restoration services will be provided in light of the “low risk of harm.” This was in contrast to the decision of Nemours in the Nemours Report to provide such services.
Since the release by SAIC of the Public Statement, Law 360 has reported that
(i) According to Tricare, SAIC was “on the hook for the cost of notifying nearly 5 million program beneficiaries that computer tapes containing their personal data had been stolen”;
(ii) A putative class action lawsuit was filed against Tricare and DoD (but not SAIC) respecting the 2011 Breach; and
(iii) Another putative class action lawsuit was filed against SAIC (but not Tricare and DoD) respecting the 2011 Breach.
Further review of SAIC and its incidents regarding PHI reveals that the 2011 Breach was not the first such event for SAIC. However, it appears to the first such breach since the adoption of the Breach Notification Rule in August of 2009.
On July 21, 2007 The Washington Post reported that SAIC had acknowledged the previous day that “some of its employees sent unencrypted data — such as medical appointments, treatments and diagnoses — across the Internet” that related to 867,000 U.S. service members and their families. The Post article continues:
So far, there is no evidence that personal data have been compromised, but ‘the possibility cannot be ruled out,’ SAIC said in a press release. The firm has fixed the security breach, the release said.
Embedded later in the Post article is the following:
The [2007] disclosure comes less than two years after a break-in at SAIC’s headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.
It is not clear whether the earlier 2005 breach reported in the Post involved PHI or other personal information.
On January 20, 2009, SPAMfighter reported that SAIC had informed the Attorney General of New Hampshire of a data breach that had occurred involving malware. The SPAMfighter report continues that SAIC wrote a letter to many affected users to inform them about the potential compromise of personal information. (A portion of such personal information would have been deemed PHI had it been part of health-related material.)
The SPAMfighter report also discloses the following:
Furthermore, the current [2009] breach at SAIC is not the only one. There was one other last year (2008), when keylogging software managed to bypass SAIC’s malware detection system. That breach had exposed mainly business account information.
As of the date of this blog post, the “News Releases” section on the SAIC Web site has no reference to the 2011 Breach. Nor does the “SEC Filings” section under “Investor Relations” on the SAIC Web site indicate any recent SEC filing that discloses the 2011 Breach.
Coincidentally, the SEC issued a release on October 13, 2011 containing guidelines for public companies regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In the context of SAIC, an $11 billion company, while the actual costs of notification and remediation of the 2011 Breach may run into millions of dollars, the 2011 Breach may not be deemed a “material” reportable event for SEC purposes by its management.
It is likely that much more will be heard in the future about the mammoth 2011 Breach and its aftermath that may give covered entities and their business associates valuable information and guidance to consider in identifying and confronting a future large PHI security breach. The 2011 Breach has not even yet appeared on the HHS List. The regulatory barriers preventing private actions under HIPAA/HITECH may be tested by the putative class action lawsuits. It will also be interesting to see whether the cooperation of SAIC with Tricare and DoD may wither in the face of the pressures of the lawsuits and potential controversy regarding the decision of SAIC not to provide credit monitoring and identity theft protection to affected individuals.