News Feature | May 16, 2014

Judge Tosses Most Claims In DoD, TRICARE Data Breach Case

Christine Kern

By Christine Kern, contributing writer

DoD TRICARE Data Breach Case

Most Claims in TRICARE Consolidated Class Action Lawsuit dismissed

Health Data Management reports most of the claims in a class action lawsuit filed against the Department of Defense, its TRICARE health insurance program and vendor Science Applications International Corp. have been dismissed by a federal district judge. The suit followed a massive data breach in 2011 that affected some 4.7 million individuals including military members and their families.

The breach occurred when a thief broke into an SAIC employee’s car in September 2011, taking a GPS system, stereo, and several data backup tapes. The tapes contained protected health information including names, addresses, phone numbers, medical information such as clinical notes and lab tests, and Social Security numbers, but no credit/debit or bank account data. The tapes concerned patients treated in San Antonio, TX facilities between 1992 and Sept. 7, 2011. In initial notifications of the breach, TRICARE did not initially offer protected services, but after further investigation, SAIC offered affected individuals one year of paid credit monitoring and identity theft protection services.

In his May 9 ruling, U.S. District Judge James Boasberg of the District of Columbia acknowledges that a handful of the 33 plaintiffs selected to participate in the suit on behalf of the entire class claim to have suffered actual identity theft and have clearly suffered an injury.

Of the 33 plaintiffs in the eight class action suits that were consolidated, only two "do plausibly assert that their data was accessed or abused, and those victims may move forward with their claims,” he wrote in his May 9 ruling from the U.S. District Court in D.C. However, at least 24 other plaintiffs cannot demonstrate harm, alleging only a risk of identity theft. He noted, “At this point, the likelihood that any individual Plaintiff will suffer harm remains entirely speculative.”

In the ruling, Boasberg outlines the multiple steps necessary for a criminal to understand the value of the tapes, find and attach a tape reader to a computer, acquire software to upload data from the tapes to a computer, decrypt a portion of the data that was encrypted, understand TRICARE’s database format which may require special software, and then “either misuse a particular Plaintiff’s name and Social Security number (out of 4.7 million TRICARE customers) or sell that Plaintiff’s data to a willing buyer who would then abuse it. The vast majority of Plaintiffs has not alleged that any of those things happened – because they cannot. Those events are entirely dependent on the actions of an unknown third party – namely, the thief.”

Although Boasberg acknowledged the anxiety of those affected by the breach as they watch for unauthorized activity on their credit reports, he stated, “The Supreme Court, however, has held that an ‘objectively reasonable likelihood’ of harm is not enough to create standing, even if it is enough to engender some anxiety. Thus, Plaintiffs thus do not have standing based on risk alone, even if their fears are rational.

“Nor is the cost involved in preventing future harm enough to confer standing, even when such efforts are sensible. There is, after all, nothing unreasonable about monitoring your credit after a data breach. In fact, that is exactly what TRICARE and SAIC advised Plaintiffs to do – and what SAIC, in part, offered to pay for.”

The full 28-page ruling is available HERE.