US Defense faces $4.9b lawsuit for unencrypted data breach

The US Department of Defense is facing a $4.9 billion class-action lawsuit stemming from the breach of computer backup tapes containing the personal information of nearly five million current and former US soldiers.

The data was stolen from unencrypted backup tapes stored inside a car.

The lawsuit was filed last week in US District Court in Washington by four individuals whose information was compromised.

It seeks $1000 in damages for all 4.9 million individuals affected by the incident.

The suit charges that defendants Tricare, a health insurance provider for military personnel and their families, as well as the Defense Department and Leon Panetta, the agency's secretary, violated individuals' privacy rights by failing to protect the stolen information from unauthorised disclosure.

The suit contends that the defendants failed to properly encrypt the data, then “intentionally, willfully and recklessly” allowed an untrained individual to access the information.

Making matters worse, the defendants then authorised this worker to take the data off government premises.

According to the suit, the defendants violated the US Privacy Act that governs the collection, maintenance, use and dissemination of personally identifiable information maintained by federal agencies, as well as other privacy laws.

The breach, first disclosed in late September, affected those who, from 1992 to 7 September this year, sought care at military treatment facilities in the San Antonio, Texas area.

The stolen data belonged to Tricare, but had been entrusted to Science Applications International Corp. (SAIC), a high-tech defense contractor.

The tapes were stolen from a SAIC employee's car. SAIC was not named as a defendant in the lawsuit.

The stolen data included Social Security numbers, addresses and phone numbers, in addition to health assets, such as clinical notes, lab test reports and prescription information.

The plaintiffs of the suit are an Air Force veteran, a military spouse and her two children, all of whom received insurance through Tricare.

Because of the breach, the defendants suffered emotionally and lost money as a result of having to purchase credit monitoring solutions.

Tricare downplayed the impact of the breach in September, noting that the risk of harm to affected individuals was “low” since retrieving data off the tapes would necessitate “knowledge of and access to specific hardware and software, and knowledge of the system and data structure.”

A Defense Department spokesman did not respond to a request for comment on Monday.

This article originally appeared at scmagasineus.com