The lawsuit, filed on Tuesday in U.S. District Court in Washington, D.C. by four individuals whose information was compromised, seeks $1,000 in damages for all 4.9 million individuals affected by the incident.
The suit charges that defendants Tricare, a health insurance provider for military personnel and their families, as well as the Defense Department and Leon Panetta, the agency's secretary, violated individuals' privacy rights by failing to protect the stolen information from unauthorized disclosure.
The suit contends that the defendants failed to properly encrypt the data, then “intentionally, willfully and recklessly” allowed an untrained individual to access the information. Making matters worse, the defendants then authorized this worker to take the data off government premises.
Specifically, according to the suit, the defendants violated the Privacy Act of 1974, which governs the collection, maintenance, use and dissemination of personally identifiable information maintained by federal agencies, as well as other privacy laws.
The breach, first disclosed in late September, affected those who, from 1992 to Sept. 7 of this year, sought care at military treatment facilities in the San Antonio, Texas area. The stolen data belonged to Tricare, but had been entrusted to Science Applications International Corp. (SAIC), a high-tech defense contractor. The tapes were stolen from a SAIC employee's car. SAIC was not named as a defendant in the lawsuit.
The stolen data included Social Security numbers, addresses and phone numbers, in addition to health assets, such as clinical notes, lab test reports and prescription information.
The plaintiffs of the suit are Adrienne Taylor, of Glendale, Ariz., an Air Force veteran who served in Operation Desert Storm; Virginia Gaffney of Hampton, Va., a military spouse; and Gaffney's two children, all of whom received insurance through Tricare. Because of the breach, the defendants suffered emotionally and lost money as a result of having to purchase credit monitoring solutions.
Tricare downplayed the impact of the breach in September, noting that the risk of harm to affected individuals was “low” since retrieving data off the tapes would necessitate “knowledge of and access to specific hardware and software, and knowledge of the system and data structure.”
A Defense Department spokesman did not respond to a request for comment made by SCMagazineUS.com on Monday.