U.S.

Massive Military Medical Info Theft

By Lloyd Vries

December 31, 2002 / 8:39 AM EST / CBS

A reward is being offered in the theft of personal information from more than 500,000 Pentagon medical files.

A Pentagon health care contractor -- TriWest Healthcare Alliance -- is offering $100,000 for information leading to the arrest and conviction of those who stole the information.

The Federal Trade Commission said computer hard drives containing the information were taken earlier this month -- and contain Social Security numbers, medical claims histories and other private data on members of the military and their families.

A Tri-West company spokesman stressed that the stolen information was not patient medical records, but other types of personal information.

Authorities say it could become one of the largest identity thefts on record if the information is misused. So far, the company says there's no indication that any client's information has been misused.

U.S. Attorney Paul Charlton says investigators are looking at all motives and possibilities, but he says there's nothing to indicate the crime was tied to terrorism.

The Defense Department is computerizing the medical records of all military personnel and their families, but just as the project gets past the experimental phase officials are grappling with the theft of thousands of records from a Pentagon health care contractor.

"I am not aware of a larger case, but at this point we don't know if any people have experienced identity theft," said Betsy Broader, assistant director of the FTC's division of planning and information.

Authorities said thieves took computer equipment and files with the sensitive information during a break-in Dec. 14 at TriWest, a defense contractor that provides managed health care for military personnel in 16 states. It serves about 1.1 million active-duty personnel, their dependents and retirees.

With a person's name, birth date and Social Security number, someone could easily open credit accounts and create fake documents like drivers licenses, Broader said, but officials say they do not yet know the motives or skill level of the thieves.

Last month, three men were charged with allegedly running a high-tech scheme to steal credit information from thousands of victims, a crime authorities said represented "every American's worst financial nightmare multiplied tens of thousands of times."

Losses from that scam were put at $2.7 million and could grow as more victims are identified. U.S. Attorney James B. Comey said credit information for some 30,000 people was stolen.

David McIntyre, TriWest president and chief executive, said health care service would not be disrupted as a result of the theft from his company.

The breach comes as the Pentagon is building a network to computerize the entire military health care system, including the patient records of 8.7 million service members, retirees and their families who receive medical care under Pentagon programs.

The Pentagon is planning to roll out the project at up to seven military hospitals across the nation after successfully testing the concept at four locations. The system eventually will be expanded worldwide.

The Defense Department hailed the Composite Health Care System II, or CHCS II, as a potential "data gold mine" for military physicians and other health care professionals that will provide quick and easy access to military patient records worldwide.

Though the TriWest computers have no connection to the larger project, they did include information gathered for military health care, including names, addresses, medical claim histories and a small number of credit card numbers.

Pentagon officials nonetheless are taking the breech "very seriously" and are "going to learn from this issue and do what's necessary" to better guard such information in the future, spokesman Jim Turner said.

When the large computerization of military health records is completed, the bigger threat won't be a physical removal of computer hard drives but rather the potential theft of records from hackers who try to break into military computer networks, officials said.

Privacy experts are on the lookout for potential security lapses or unnecessary intrusions into people's personal information as the Pentagon puts more personal information into digital form.

"This makes it easier to find the information but also makes it easier for criminals" to access it, Ari Schwartz, associate director at the Center for Democracy and Technology, said of CHCS.

The Pentagon recently received an "F" grade for its computer security from the House Government Reform subcommittee on government efficiency, financial management and intergovernmental relations.

Bonnie Heald, the subcommittee's staff director, referred to the Pentagon's score of 38 out of 100 as "an abysmal failure."

The report did not take into account CHCS, which was too new to be included.

According to the Justice Department, there are 500,000 to 700,000 cases of identity theft in the United States each year, and 42 percent of the complaints to the Federal Trade Commission concern identity theft.