Military Medical Breach Revealed - Unencrypted Data Sent Via Internet

Washington Post ^ | July 21, 2007 | Ellen Nakashima and Renae Merle

[neverdem]

A government contractor handling sensitive health information for 867,000 U.S. service members and their families acknowledged yesterday that some of its employees sent unencrypted data -- such as medical appointments, treatments and diagnoses -- across the Internet.

Air Force investigators are probing the security breach at Science Applications International Corp. (SAIC) of San Diego, an $8 billion defense contractor that holds sensitive government contracts, including for information security.

The breach was discovered in May and involved data being processed by SAIC under nine health-care data contracts for the military. It was detected during routine scanning for questionable network traffic by a special military task force that directs the operation of the military's computer network, said an Air Force spokeswoman, Jean Schaefer. The task force determined that medical data were being sent through a server that was not secure against hacker attacks, she said. It is illegal to transmit unencrypted health information over the Internet.

So far, there is no evidence that personal data have been compromised, but "the possibility cannot be ruled out," SAIC said in a press release. The firm has fixed the security breach, the release said.

The disclosure comes less than two years after a break-in at SAIC's headquarters that put Social Security numbers and other personal information about tens of thousands of employees at risk. Among those affected were former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq, and a former director who was a top CIA official.

The security breach underscores the systemic problems in corporate and government security systems and the vulnerability of military and contractor systems to attack. In recent months, e-mail systems at military colleges have been attacked and briefly shut down. Last fall, hackers operating through Chinese Internet servers shut down a Commerce Department bureau...

[LibFreeOrDie]

former SAIC executive David A. Kay, who was the chief U.N. weapons inspector in Iraq

Interesting...

[SoldierMedic]

The data were stored on a single, SAIC-owned, non-secure server in Shalimar, officials said. The contracts were with the Army, Navy, Air Force and Department of Homeland Security, which administers the Coast Guard. The work was being done in connection with Tricare, the health-care system for more than 9 million active-duty soldiers, retirees and their families.

[neverdem]

Check out Friends in High Places.

There's nothing new under the sun. It seems we have little reason to trust the gov't or the private sector. Granted this is from PBS, but there's no reason to be throwing softballs to the left over the plate.

[xenophiles]

It is illegal to transmit unencrypted health information over the Internet.

And yet nobody will go to jail and the company will not pay a significant fine. And once this blows over -- and it will -- they will get more contracts (just look at Diebold). So how can any executive justify spending money on security?

[neverdem]

Drug Safety Critic Hurls His Darts From the Inside

Doctor’s Work in Ultrasound Images Aids Drug Industry

FReepmail me if you want on or off my health and science ping list.

[neverdem]

So how can any executive justify spending money on security?

Start prosecuting their @sses. Stop awarding contracts to them.

[Squantos]

SAIC Professionalism........