Government

Proving it's hard to prevent stupid: Military medical records stolen from car

The records of military service members were stolen through sheer carelessness. Read Bob Eisenhardt's sobering take on the data security lapses committed in this major breach.

Just recently, I became aware of a security scandal of major proportions regarding a frightening breach of medical data that is well worth our collective thought and darkest fears.

Scientific Applications International Corp, better known as SAIC (those wonderful folks who gave New York City the financial black hole known as CITYTIME) has a disaster on it's hands. The medical records of our soldiers have been breached. Stolen in point of fact. How?  Some hacker sitting in a room in China breaching the firewalls? Some theft through a website attack? An HP OfficeJet printer hack?

Here is the insidious theft recipe. Take an open car door, add a few backup tapes on the seat, and park in a hot car for a few hours. Serves one.

First, the scope of the theft: 4.9 million records, military service members, between 1992 and September 14, 2011 in San Antonio, Texas. The cutoff date is absolutely precise. While credit card data was not accessed (so they say), other data such as Social Security numbers were stolen.

Astonishing fact: the data itself was unencrypted because SAIC claims they do not have the capability to encrypt the data to government standards. SAIC is nothing but government work and has major defense contracts with the Pentagon. To claim they lack the encryption standard is amazingly lame. But dear reader, worse is to follow.

This is a major scandal that has received almost zero media publicity. Somebody opened the car door and took the tapes along with a stereo and GPS device. It's that easy folks. For all of our intelligence with technical details, impregnable firewalls, for locking down data through encryption, an open car door does it every time. For all of our supposed intelligence ... fools rule.

Here is the news link - read this and weep.

http://www.scmagazine.com.au/News/275269,five-million-unencrypted-us-soldier-records-stolen-from-car.aspx

Since starting this heart-wrenching report, I have uncovered more details, all totally depressing. Apparently an SAIC worker was carrying the tapes offsite to transport them from one secure location to another secure location. Point to Point?  I have a big problem right here as the tapes were left in the car parked at 300 Convent Street in downtown San Antonio ALL DAY from morning to evening when the theft occurred on September 13th, and not reported until September 14th. It did not take all day to deliver the tapes.

Secondly, does anyone know there is a hot thing called a Sun above us, and that San Antonio is a hot location!! Tapes do not survive well in heat. Since data tapes are used in disaster restoration situations, even if the tapes were not stolen, we can potentially toss that one out the window as well. But, it gets worse as if that is possible.

One observer was hard pressed to state that "simple carelessness" was one answer.  Oh, really?

The remediation advice is equally lame. Douglas Pollack, CEO of ID Experts, Inc. said that most data theft comes from "stupid stuff ... mundane human issues such as theft of a laptop or a thumb drive." As Leroy Jethro Gibbs of NCIS would observe, " Ya think?" ID Experts has recommended that "SAIC and TriCare perform periodic assessments to help identify the risks involved with transporting massive amounts of sensitive health care information in a non-secure manner." I don't think that a more bland assessment statement has ever been released, although the Soviet response to Chernobyl or the Kursk sinking may come a close second.

Stupid stuff is the line item we have THE MOST CONTROL OVER. In the world of tech security, I often believe that we are always 5 or 10 minutes BEHIND the bad guys, that no matter how good our firewalls and websites, somebody out there is already finding a hole that none of us has yet to consider.  We can never attain 100% lockdown. But in this instance we have absolute control of the causes for data theft.

I hesitate to even venture my response, but here goes. Employ encryption even if only on the data transfer level to STORAGE media. Since tapes fail 47% of the time, only employ secure and encrypted hard drives. When in transport, place media in a secure, locked box that cannot be seen from the outside of the vehicle. While in transport, point to point security is MANDATORY, drive from location to location with sign-in and sign-out authentication and time stamps. Hand off to secure personnel at the storage location, and store locked in view of such personnel. Employee is then mandated to return immediately to work or other duties as assigned. Employee is signatory responsible for the data.

I just don't know anymore, maybe I am too smart for government work after all. Maybe I will park my car in town with a few laptops visible and see how long they last. At least my survey results will be valid.

24 comments
SHOCK77777
SHOCK77777

First of all there is no excuse for this. This guy walked away from his car for 9 hours knowing there were sensitive medical records in his car. Number one he should out right be fired. And the company should pay through the nose heavily to TriCare and the dependents this affected. However I object completely to anyone or any company transporting medical records. I believe that all individuals should be carrying their own records as they did years ago. When you arrive at a base, you turn in your medical records so the doctors will have access to them when you need care. When you leave that base to go to another or if you are retiring, then you pick up your records. There is no excuse for losing records. The patients have a right to hold onto their own records or determine who, or what is done with them. Enough of this hiring unfit companies to do jobs of importance for big bucks and then finding out they are incapable of providing the services they were hired for. Shame on Tricare, Shame on SAIC. Let the soldiers and their families carry their own records. Then they will feel much safer that their medical records are well taken care of.

kansamuse
kansamuse

I just received an email that my personal records may be compromised and went online to make sure it is not another scam. It is a letter to sign up for free credit watch. This is the second time my medical records have been stolen. The first was a break in. I have worked for contacts for over 11 years and I would like to know what the heck this person was doing having data on a seat in his car and stopping from point A to B but then again was thinking it may not be total negligence. The second point is that the government should allow the use of Government property and use procedures as stated above in other post. Contractors do sign for keeping data secure. Most likely the person had to use their own vehicle without getting paid for mileage and I would not be surprised it the person was not getting paid for the driving time. Expecting the individual to do it the next time they are scheduled to work. This may be the reason for the lack of media. I am unemployed but really trying to steer away from contract work in this area the major employees are schools and military.

Robiisan
Robiisan

Had better be in Mexico or other parts unknown by now. If not, I would suggest a lifetime in Leavenworth in a hole so deep they have to pipe daylight to him on alternate Wednesdays! His or her only company should be the rest of the SAIC chain of command above his Stucking Fupid a$$. You can't fix it, but maybe you can isolate it well enough, in some cases, to effectively limit its effect on society.

mwclarke1
mwclarke1

Government only requires the public sector to adhere to all regulations and law, they themselves are exempt from their own rules

jtollack
jtollack

I was in the USAF for 20 years with a TS clearance the entire time, and we had serious policies and procedures for the handling of anything from sensitive all the way up to classified materials. As an active duty person, if I were to have made this same mistake, I would have been court martialed and either went to jail or kicked out and fined up to 100K (trust me I signed enough documents that stated just that). the fact that "contractors" can have sometimes all the same access with without all the same responsibilities and consequences, really pisses me off, and their salaries are head and shoulders above their active duty counterparts!

SKDTech
SKDTech

It is bad enough that this happened in the first place but there is no excuse for SAIC not getting an immediate black eye in the media for such a breach. Medical records contain far too much information and anyone handling them should be forced to use proper safeguards and if they are incapable of protecting them ordered then they should not be allowed to handle them. As a former servicemember my data could be on those tapes and that does not sit well with me at all.

HAL 9000
HAL 9000

[b]The _Shit Always Floats to the Top and becomes the Bosses.[/b] Just another reason to have nothing at all to do with any form of Bureaucrats or people that they employ. ;) Another perfect example of being unable to rely on Common Sense ever let alone Legislate for it. :D Col

isenberg
isenberg

I can't believe (or maybe don't want to...) that this kind of information was being carried around on freakin' cassette tapes. Is that what our contractors are using? Why not put them on 8-track tapes with some rock and roll... How sad.

Tony Hopkinson
Tony Hopkinson

That my friends was the sound of about 10,000 lawyers having a simultaneous orgasm.

CharlieSpencer
CharlieSpencer

if this a routine procedure, why aren't the backups just run from the remote site in the first place? Then the transfer of media becomes unnecessary. I worked for SAIC for three years in the early '90s at a military hospital. I remember it as the time I learned I would never voluntarily work for a government contractor again.

Slayer_
Slayer_

The thief probably has no idea what he has. The lack of media attention is a good thing then, as the thief will probably dispose of the tapes when he realizes they don't work in a cassette player.

Neon Samurai
Neon Samurai

Well, if the military can't break a Truecrypt encrypted volume with a good password.. hm.. maybe SAIC needs to investigate this possible option? Freaking unbelievably incompetent of them on all accounts.

reisen55
reisen55

As the author and a newcomer here, I was frankly amazed that SAIC, a major defense contractor, could even permit such a brain dead stupid act!! I can see some local firm sending out a kid to deliver tapes to a secure site by car, but this is a multi-million dollar government contract and SAIC routinely manages very high level stuff!!!! Army logistics, Navy, Marine ... you name it, they do it!! To even claim they cannot encrypt the data is madness. And zero media coverage as compared to CITYTIME which, by the way, was partly written by Technodyne in Wayne NJ and THEIR WEBSITE IS STILL UP!!! Check it out.

carlson1
carlson1

You don't want public servants because they are lazy, incompetent and overpaid. The private sector is so much more efficient, effective and competitive; well except when they are not. And the contract says you can't really punish them.

jfrankl1
jfrankl1

No media coverage; the contractor is probably tied to a Democratic member of the House or Senate.

JCitizen
JCitizen

Gubbamint work - can't do with it - can't co without it. :p

HAL 9000
HAL 9000

Have you tried to buy Blank 8 Track Tapes recently? For that matter have you tried to buy recorded 8 Track Tapes that actually work in the last 10 or so years. :D Col

Slayer_
Slayer_

That's gonna take hours to clean up...

AnsuGisalas
AnsuGisalas

that's the only good thing about the mess... Media attention would have ensured another good thing, namely that the suckers get a security overhaul... keep them in line for a few months.

Tony Hopkinson
Tony Hopkinson

Guys' probably sold the lot for a pipe of crack. Thousands of servicemen and women now need to hope his dealer is dumf**k too.

sonotsky
sonotsky

The objects in question are backup tapes. Starting with LTO-4, the LTO standard includes onboard encryption through AES256-GCM. You can control it with your backup software, if it's supported, or manually through the drive itself if you've bought even a basic setup (our Dell ML6000 came to $55k three years ago, for 4 LTO4 drives, 128 tape slots, and the library-managed encryption software license). For an agency that performs nothing but government work to not acquire something so readily available and affordable is negligence, pure and simple.

HAL 9000
HAL 9000

I might say something sensible. :^0 Col

Tony Hopkinson
Tony Hopkinson

Arghh!! Mnnfff SunnnnAAA! Damn , my bad, sorry... That was in no way an indication of culpability he hastens to edit.

Editor's Picks