In the weeks following last year's TRICARE health information breach, some of the 4.9 million beneficiaries affected became victims of financial fraud tied to their credit cards or banking accounts. That new detail is included in an amended complaint tied to the original class action lawsuit filed in the case, which claims the financial fraud is related to the breach incident.
Eight class action lawsuits have now been filed in the wake of the case. The breach involved the theft of unencrypted computer tapes containing personal information, including Social Security numbers, but not financial data, about TRICARE beneficiaries, officials with the military health program said last year. The tapes were stolen from the parked car of an employee of TRICARE contractor Science Applications International Corp. The employee was responsible for transporting tapes between federal facilities in San Antonio, an SAIC spokesman said last year (see: TRICARE Breach Notification in Works).
On March 8, SAIC filed a request to have all eight lawsuits consolidated into one. Attorneys involved in five cases filed in Washington, D.C., also are seeking to consolidate those cases. The website NextGov.com was the first to post the latest filings in the case.
The amended complaint in the original case, Virginia E. Gaffney, et al. v. TRICARE Management Activity et al., provides details on five individuals affected by the TRICARE breach who reported they were victims of financial fraud. For example, one victim reported her credit card was cancelled due to suspicious activity shortly after the breach. Four others reported fraudulent charges on their credit or debit cards in the weeks after the breach. And two of those also reported unauthorized charges on their bank accounts.
The complaint also includes new allegations about the nature of the breach, contending the thieves were "specifically targeting the confidential information contained on the backup tapes ..."
The backup tapes were left in an SAIC employees' 2003 Honda Civic, which was parked for most of the day Sept. 12, 2011, "in a parking garage of an upscale office building with 24-hour security in downtown San Antonio," the complaint states. "The parking garage where the security breach took place contained many cars that were far more valuable than the 2003 Honda Civic. Yet the thief or thieves, who went to great effort to avoid security, did not break into any of the luxury cars in the garage, targeting instead the relatively inexpensive car containing the confidential data."
A police report about the incident said the car was broken into by breaking a vent window. Also taken in the break-in, according to the report, were a radio/CD player and a GPS unit.
Based on the total number of individuals affected, the TRICARE breach is the largest so far on the federal tally of major breaches reported since the HIPAA breach notification rule took effect in September 2009.