More than 562,000 TriCare beneficiaries across a 16-state area received a worrisome letter from their support contractor in late December 2002. All of their personal information kept by TriWest Healthcare Alliance Corporation, the managed care contractor for TriCare's central region, had been stolen.
On 14 December, a thief or thieves removed every computer hard drive on which TriWest kept enrollment and claims information. Taken were names, addresses, phone numbers, Social Security numbers, claims data, and other information on every TriCare beneficiary using TriWest in the region. The region includes Arizona, Colorado, Idaho, Iowa, Kansas, Minnesota, Missouri, Montana, Nebraska, Nevada, New Mexico, North Dakota, South Dakota, Utah, Wyoming and western Texas, including El Paso.
"This is theft of information, pure and simple," said David J. McIntyre Jr., president of TriWest, in a phone interview.
Potential victims of one of the largest identity theft cases in recent memory include tens of thousands of active-duty service members who were listed as sponsors to enrolled family members or who had used civilian doctors themselves. The potential for financial mischief through bogus credit card applications, access to e-mail, and false identifications was clear. But the stolen data also might create risks to national security and to personal safety in light of the war on terror.
After the theft, in a move akin to closing the bam door after prized horses are gone, TriCare officials established a health information security task force to assess how TriWest and other support contractors maintain beneficiary information and files.
For the past year, TriWest had housed its main computers in an industrial park office in northwest Phoenix. Company executives said it appeared the thieves gained access to the property manager's office, stole a master electronic key, and entered TriWest spaces with relative ease. The offices were not protected by surveillance cameras or night watchmen. Electronic door records showed the thief was confident enough about not getting caught to make two trips in and out of the secured area.
The stolen files involved any beneficiary of TriWest back to 1 October 1999. The stolen files involved several categories of beneficiaries in the central region who had contact with TriWest. They include: current and former TriCare Prime enrollees; active-duty members who had used TriCare Prime Remote or a civilian provider since October 1999; TriCare Senior Prime beneficiaries in a Colorado Springs demonstration; and TriCare Prime enrollees who reached age 65 and were disenrolled. No files on TriCare Standard users were stolen.
In the letter to all beneficiaries, TriWest provided advice on actions to take to protect against identity theft or misuse of personal data.
"These efforts to quickly identify and inform beneficiaries should help deter or prevent identity theft crimes," said Dr. William Winkenwerder Jr., Assistant Secretary of Defense for Health Affairs, in a written statement.
"Trust remains the bedrock of a successful doctor-patient relationship," he said, "and the expectations that our service members, retirees and families rightly have. Electronic sharing of health care information provides great advances in patient safety.... But, there are risks in electronic communications that must be identified and measures implemented to prevent or manage those risks."
No misuse of stolen information had been reported by early January.
"We and the Department of Defense obviously are concerned for individuals whose personal records were stolen," said McIntyre. "We hope that the intent was not to steal the identities of individuals .... But we are operating on the assumption we need to take every measure to assist beneficiaries [with the] steps they can take to protect their information."
Defense officials assembled a health information security task force in early January, comprised of medical leaders and information system experts. They were to recommend steps to improve security of beneficiary files, after consulting with TriCare contractors.
TriWest is one of only four contractors with deals to provide care to service members, retirees, and family members through civilian provider networks. These four and, presumably, other managed care contractors were to deliver bids in January for the next generation of TriCare support contracts, which could be worth billions of dollars. Defense officials pushed back the deadline for bids by several weeks following the theft.
Medical services were not interrupted. TriWest used back-up tapes to restore the stolen files within three hours of the theft's discovery, McIntyre said. Irked defense officials, however, said they got word of the theft six days after it occurred.
Beneficiaries in the region are urged to call a toll-free number if they suspect their identity or personal data has been misused. The number is (888) 339-9378. Also, with an e-mail to [email protected], beneficiaries can receive the latest information on the theft and advice on protecting themselves against identity theft.
TriWest, meanwhile, announced a $100,000 reward for information leading to the capture and prosecution of those responsible and recovery of the stolen property. The Defense Criminal Investigative Service was leading the investigation, assisted by the FBI and other law enforcement agencies.