You can now read 10 articles in a month for free on BostonGlobe.com. Read as much as you want anywhere and anytime for just 99¢.

The Boston Globe

Nation

Suit hits Pentagon over huge 2011 data breach

Alleged lapses touch 4.7m tied to military

WASHINGTON - The bad news piled up quickly for Carol Keller late last year. She was informed in December that her personal and medical information had been stolen nearly four months earlier when a Pentagon contractor left 25 computer tapes in the back seat of a Honda Civic in Texas. That explained the fraudulent purchases from her debit account, the Revere woman contends.

Keller, who is married to a disabled Air Force veteran and relies on the Pentagon-run health insurance program called TRICARE, is among 70,000 military personnel, retirees, and their families across New England who are grappling with the potential fallout of one of the largest-ever breaches of medical data. Nationally, as many as 4.7 million people may be vulnerable.

Continue reading below

Keller insists the theft and unauthorized purchases are related and has joined nearly a dozen others in a class-action lawsuit seeking unspecified damages. Frustrated lawmakers and privacy specialists say the case spotlights what they contend is an ill-designed health system, in which the Pentagon relies on contractors and outdated computer storage technologies to house and transport personal information.

As a result of the outdated system, they say, those who risk their lives for the nation face undue risk of invasion of privacy and identity theft, and national security could be compromised.

“The bottom line is that people in charge of safeguarding our service members’ personal data need to transition from the 20th century to the era of iPads,’’ said Representative Edward J. Markey, who is demanding more answers from the Pentagon on its medical privacy policies. “TRICARE had given me no assurance that it is moving toward such a modern system.’’

Many of the questions concerning standards and technology center on the Pentagon’s use of contractor Science Applications International Corp. The contractor alerted Keller to the September breach weeks later - in a letter titled “urgent.’’

According to the lawsuit filed in federal court in Washington, one of three pending across the country, the breach was the latest involving the contractor, which receives about $20 billion a year in Pentagon contracts.

The contractor “has experienced no fewer than six security failures’’ since 2005 involving privacy data, the suit alleges, including a break-in at a company facility in California in 2005 in which the Social Security numbers and financial transactions of 45,000 top military and intelligence officials were stolen.

Two years later, the company announced that the health records of nearly 900,000 soldiers, their family members, and other government employees were compromised when they were transmitted online without encryption.

“We don’t know what specific instances that they are talking about, whether they are SAIC, whether they might be a vendor of some kind to us, and we don’t want to get into a dialogue about pending litigation,’’ said Vernon Guidry, a spokesman for Science Applications International Corp., also known by its acronym.

But he insisted that the company has no evidence that the information on the computer tapes stolen last year from a San Antonio parking garage was accessed by outsiders. Moreover, Guidry maintained it would be difficult to decipher the tapes.

“Reading the data on the tapes would require knowledge of and access to specific hardware and software, which is commercially available, but would also require knowledge of the system and data structure on the tapes,’’ Guidry said.

Some privacy specialists, however, said that would not be much of a barrier for those seeking a high payoff. In the rapidly advancing world of data protection, computer tapes are considered archaic.

“To read that, you need to get your hands on the proper equipment, but the value of the data itself makes it worth the effort for identity thieves,’’ said Lillie Coney, associate director of the Electronic Privacy Information Center, a public interest research group in Washington.

The contractor uses portable reel-to-reel tapes to store the data, relying on an operating system originally designed in 1977. Such technology is so outdated that there is no way to encrypt the data - standard procedure for storage systems today.

That detail infuriates Markey. “At minimum, TRICARE should require that its contractors, including SAIC, encrypt data before transporting it to a different location,’’ he said. “Yet even after experiencing multiple instances of physical data theft . . . TRICARE still does not mandate that its contractors handling sensitive information implement such a common sense risk mitigation practice.

“This is unacceptable,’’ Markey told TRICARE director Jonathan Woodson in a letter.

The backup tapes, which were being transferred by a Science Applications International employee, contained Social Security numbers, names, addresses, and phone numbers, as well as health data such as clinical notes, laboratory tests, and prescriptions for members of the military, veterans, and their families who received care from the military health system between 1992 and Sept. 7, 2011.

The lawsuit, which names Science Applications International Corp. and the Department of Defense as defendants, also contends that leaving the tapes unguarded in a vehicle, rather than transporting them in an armored car, violated industry practice in the data security field.

The Pentagon and the contractor have insisted that the data did not include credit card, banking, or other financial information. Yet identity theft specialists said that determined thieves could use the information on the tapes - such as Social Security numbers - to access bank accounts or credit card numbers.

“It could be used as breeding information,’’ Robert Siciliano, a consultant for software security giant McAfee, told the Globe. “You could use the data to make a phone call and pose as that person to fool someone to allow access to a bank account.’’

He cautioned, however, that there is no way to know at this point whether the fraudulent transactions asserted in the lawsuit were connected to the data theft. “Debit cards and credit cards are compromised all the time,’’ said Siciliano.

Cynthia Smith, a Pentagon spokeswoman, said military health officials would not comment on the claims of identity theft, citing the ongoing legal cases.

Keller’s fellow plaintiffs include the spouse of a decorated war veteran, the 5-year-old daughter of an Air Force officer, and a retired major. They contend that their credit cards were canceled without their knowledge for suspicious transactions; unauthorized withdrawals were made from their bank accounts; and telemarketers hound them.

“Mrs. Keller and her husband have spent many hours remedying these fraudulent charges and communicating with her debit cards’ banks,’’ according to the complaint. “Additionally, Mrs. Keller has a sensitive medical condition which had been disclosed as a result of the security breach, and the revelation of her condition has caused her and her spouse to suffer on inordinate amount of emotional distress.’’

Keller did not respond to requests for an interview and her lawyer, Jeremiah Frei-Pearson said he could not comment on the lawsuit.

Coney said concerns about the breach extend to issues of national security.

“This involves military personnel and their families,’’ Coney said. The data “reveals a lot of information that shouldn’t be in the hands of anyone.’’

Bryan Bender can be reached at bender@globe.com. Follow him on Twitter @GlobeBender

You have reached the limit of 10 free articles in a month

Stay informed with unlimited access to Boston’s trusted news source.

  • High-quality journalism from the region’s largest newsroom
  • Convenient access across all of your devices
  • Today’s Headlines daily newsletter
  • Subscriber-only access to exclusive offers, events, contests, eBooks, and more
  • Less than 25¢ a week