[ISN] Military Medical Breach Revealed

From: InfoSec News (alerts@private)
Date: Mon Jul 23 2007 - 22:06:31 PDT


By Ellen Nakashima and Renae Merle
Washington Post Staff Writers
July 21, 2007

A government contractor handling sensitive health information for 
867,000 U.S. service members and their families acknowledged yesterday 
that some of its employees sent unencrypted data -- such as medical 
appointments, treatments and diagnoses -- across the Internet.

Air Force investigators are probing the security breach at Science 
Applications International Corp. (SAIC) of San Diego, an $8 billion 
defense contractor that holds sensitive government contracts, including 
for information security.

The breach was discovered in May and involved data being processed by 
SAIC under nine health-care data contracts for the military. It was 
detected during routine scanning for questionable network traffic by a 
special military task force that directs the operation of the military's 
computer network, said an Air Force spokeswoman, Jean Schaefer. The task 
force determined that medical data were being sent through a server that 
was not secure against hacker attacks, she said. It is illegal to 
transmit unencrypted health information over the Internet.

So far, there is no evidence that personal data have been compromised, 
but "the possibility cannot be ruled out," SAIC said in a press release. 
The firm has fixed the security breach, the release said.

The disclosure comes less than two years after a break-in at SAIC's 
headquarters that put Social Security numbers and other personal 
information about tens of thousands of employees at risk. Among those 
affected were former SAIC executive David A. Kay, who was the chief U.N. 
weapons inspector in Iraq, and a former director who was a top CIA 

The security breach underscores the systemic problems in corporate and 
government security systems and the vulnerability of military and 
contractor systems to attack. In recent months, e-mail systems at 
military colleges have been attacked and briefly shut down. Last fall, 
hackers operating through Chinese Internet servers shut down a Commerce 
Department bureau computer system for more than a month. And a year ago, 
hackers stole sensitive information from State Department unclassified 

In an April report, the Government Accountability Office reported that 
21 of 24 federal agencies say they have "significant weaknesses in 
information security controls" and that a Department of Homeland 
Security unit reported a record level of information-security incidents 
throughout the federal government last year.

The incident reported yesterday by SAIC "is the most significant 
security-breach investigation in recent months," said Christine 
Millette, a spokeswoman for the Air Force Office of Special 

"It's definitely a black eye for a defense contractor that does a lot of 
classified work," said John Pescatore, an Internet security expert at 
Gartner Inc., a Stamford, Conn., consulting firm. "It definitely will 
impact them in going after future contracts."

About one-third of SAIC's 44,000 employees work in the Washington area.

The files that were transmitted related to military members, Coast Guard 
employees and retirees using military hospitals and health clinics in 
Europe and the United States. The data included names, addresses, Social 
Security numbers, birth dates and health information, some of which was 
coded, said Robert McCord, general manager of SAIC's health solutions 
business unit.

The task force that discovered the lapse, the Joint Task Force Global 
Network Operations Center, alerted the Air Force surgeon general's 
office, which contacted SAIC, Schaefer said.

"We deeply regret this security failure, and I want to extend our 
apologies to those affected by it," SAIC chief executive Ken C. Dahlberg 
said in the press release. "The security failure is completely 

SAIC has offered credit and identity restoration services to any victims 
of related identity theft.

"A number of employees" have been placed on administrative leave while 
the firm conducts its own investigation. Some of the employees worked in 
the SAIC office in Shalimar, Fla., from which data was being sent to 
Europe, McCord said.

The data were stored on a single, SAIC-owned, non-secure server in 
Shalimar, officials said. The contracts were with the Army, Navy, Air 
Force and Department of Homeland Security, which administers the Coast 
Guard. The work was being done in connection with Tricare, the 
health-care system for more than 9 million active-duty soldiers, 
retirees and their families.

In a statement, the Pentagon's Tricare office said the risk to those 
affected was "very low, but the Department of Defense takes these events 
very seriously."

(c) 2007 The Washington Post Company

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Mon Jul 23 2007 - 22:16:09 PDT