Military Medical Breach Revealed

By Ellen Nakashima and Renae Merle
Washington Post Staff Writers
Saturday, July 21, 2007

A government contractor handling sensitive health information for 867,000 U.S. service members and their families acknowledged yesterday that some of its employees sent unencrypted data -- such as medical appointments, treatments and diagnoses -- across the Internet.

Air Force investigators are probing the security breach at Science Applications International Corp. (SAIC) of San Diego, an $8 billion defense contractor that holds sensitive government contracts, including for information security.

The breach was discovered in May and involved data being processed by SAIC under nine health-care data contracts for the military. It was detected during routine scanning for questionable network traffic by a special military task force that directs the operation of the military's computer network, said an Air Force spokeswoman, Jean Schaefer. The task force determined that medical data were being sent through a server that was not secure against hacker attacks, she said. It is illegal to transmit unencrypted health information over the Internet.

So far, there is no evidence that personal data have been compromised, but "the possibility cannot be ruled out," SAIC said in a press release. The firm has fixed the security breach, the release said.

The disclosure comes less than two years after a break-in at SAIC's headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.

The security breach underscores the systemic problems in corporate and government security systems and the vulnerability of military and contractor systems to attack. In recent months, e-mail systems at military colleges have been attacked and briefly shut down. Last fall, hackers operating through Chinese Internet servers shut down a Commerce Department bureau computer system for more than a month. And a year ago, hackers stole sensitive information from State Department unclassified computers.

In an April report, the Government Accountability Office reported that 21 of 24 federal agencies say they have "significant weaknesses in information security controls" and that a Department of Homeland Security unit reported a record level of information-security incidents throughout the federal government last year.

The incident reported yesterday by SAIC "is the most significant security-breach investigation in recent months," said Christine Millette, a spokeswoman for the Air Force Office of Special Investigations.

"It's definitely a black eye for a defense contractor that does a lot of classified work," said John Pescatore, an Internet security expert at Gartner Inc., a Stamford, Conn., consulting firm. "It definitely will impact them in going after future contracts."

About one-third of SAIC's 44,000 employees work in the Washington area.

The files that were transmitted related to military members, Coast Guard employees and retirees using military hospitals and health clinics in Europe and the United States. The data included names, addresses, Social Security numbers, birth dates and health information, some of which was coded, said Robert McCord, general manager of SAIC's health solutions business unit.

The task force that discovered the lapse, the Joint Task Force Global Network Operations Center, alerted the Air Force surgeon general's office, which contacted SAIC, Schaefer said.

"We deeply regret this security failure, and I want to extend our apologies to those affected by it," SAIC chief executive Ken C. Dahlberg said in the press release. "The security failure is completely unacceptable."

SAIC has offered credit and identity restoration services to any victims of related identity theft.

"A number of employees" have been placed on administrative leave while the firm conducts its own investigation. Some of the employees worked in the SAIC office in Shalimar, Fla., from which data was being sent to Europe, McCord said.

The data were stored on a single, SAIC-owned, non-secure server in Shalimar, officials said. The contracts were with the Army, Navy, Air Force and Department of Homeland Security, which administers the Coast Guard. The work was being done in connection with Tricare, the health-care system for more than 9 million active-duty soldiers, retirees and their families.

In a statement, the Pentagon's Tricare office said the risk to those affected was "very low, but the Department of Defense takes these events very seriously."

© 2007 The Washington Post Company