Another military data breach we never heard about? (updated)
Back in July 2007, we learned that Science Applications International Corp. (SAIC) had been transmitting unencrypted data on 600,000 military personnel and their dependents. At the time, we were told that although it was a “possibility,” there was no evidence that anyone had hacked in or accessed the data.
Why, then, did an analyst for the Department of Homeland Security recently tell a workshop at the National Institute of Standards and Technology that foreign computer hackers — primarily from Russia and China — are attempting to steal U.S. health care records and mention, in that context, a military health system containing Tricare records being hacked in April 2007?
Was there an April 2007 hack involving Tricare that was never disclosed to the public? Or is this the same SAIC incident where we were told that there was no evidence of any access?
What’s going on here?
And of course, why would foreign hackers want to steal U.S. health care records? That’s certainly cause for concern, if it is true.
Update of Jan. 29th:
As a follow-up to the questions raised above, I contacted the Dept. of Homeland Security to request clarification. A DHS spokesman informed me that:
1. For any particular hack, it’s often impossible to know exactly the location of the hacker, so the headline in the Government Health IT story should have read “Hackers” and not “Foreign hackers;”
2. The statement that hackers had been focused on the [Dept. of Defense] and were now branching out to the healthcare private sector was inaccurate as the DHS does not have enough information to make this assessment;
3. If hackers were to try to access healthcare records, it could be for any one of a number of reasons: for purposes of blackmail, for fraud, for espionage, for revenge, or to gain a strategic advantage;
4. At this time, the DHS has no knowledge of any attempts to hack networks for the express purpose of obtaining health records;
5. The DHS does not have, and is not interested in developing, a database of health information system intrusions, as reported in the original news story; and
6. The TRICARE incident referred to in the original story was, indeed, the SAIC incident reported in July 2007, and as had been reported on PogoWasRight.org and in a subsequent American Forces Press Service release, there was exposure due to lack of firewall but no evidence of a hack. Referring to the incident as a hack was an error.
Thanks to the DHS for clarifying this.
We posted about this last week – http://securitymusings.com/article/234/foreign-hackers-and-your-health-care-data – and glad to see these clarifications and corrections. I’ve added a comment to our story to link back here. Thanks for the digging with DHS to clarify.
You’re welcome. What I thought odd was that when Bruce posted the story, I commented on it on his blog and linked to the clarification, but despite that, people continued to discuss the original story as if it hadn’t been corrected. I guess it’s more fun to speculate, at times.