Hackers access personal information on TRICARE servers

Hackers gained access to the Pentagon's health insurance information systems, compromising the personal information of more than 14,000 people, the Defense Department announced Friday.

The intrusion of the TRICARE Management Activity public computer servers was discovered on April 5, but no information is available on when it occurred. A department official who requested anonymity said there was a delay of more than four weeks in releasing the information because of the time needed to determine the extent of the intrusion.

The hacked information included databases of names, Social Security numbers, the last four digits of credit card numbers, personal phone numbers, work and personal e-mail addresses and home addresses.

The Defense Criminal Investigative Service is participating in an investigation of the incident.

Assistant Defense Secretary for Health Affairs William Winkenwerder said the department responded swiftly to the intrusion, immediately implementing enhanced security controls throughout the network and installing additional monitoring tools to improve the security of data files and networks.

"Such incidents are reprehensible, and we deeply regret the inconvenience this may cause the people we serve," Winkenwerder said in a statement.

Information on the steps the department is taking to prevent another intrusion is confidential because releasing it would "alert the criminals on the countermeasures," the department official said.

The department sent affected people letters informing them that the compromise of their personal information could put them at risk for identity theft and recommending precautionary measures.

The information contained in the accessed files and databases varied, the department said, and investigators do not know the hacker's intent or if any of the information will be misused.

The official said some of the information accessed was provided by people attending conferences and was related to health conditions, such as the need for a wheelchair or a special diet. One of the conferences affected was a TRICARE-related event involving computer fraud.

Official medical record databases were not touched, the Defense official said.

While the Defense Department said "routine monitoring" detecting unusual activity led to the discovery, Alan Paller, research director of the nonprofit cybersecurity research group the SANS Institute, said that often means officials "accidentally stumbled over" the breach.

Paller said the department has yet to disclose enough information to determine the nature of the incident.

Bruce Brody, former Energy Department chief information security officer and now vice president for information security at the government market analysis firm INPUT, said he credits the department for detecting the intrusion, fixing it and then going public.

"Intrusions are probably going on all over the government and many of them are undetected, and therefore the vulnerabilities are not fixed," Brody said.

Lynn McNulty, (ISC)2 government affairs director and a member of the Information Security and Privacy Advisory Board established by the 2002 Federal Information Security Management Act, said it looks like the Defense Department handled the problem adequately, but it will be interesting to see further details.

"A security problem of this magnitude on this level underscores the need to address security as a fundamental issue on the development and implementation of any national electronic health care record initiative," McNulty said.