Harris & Ruble Files Class-Action Lawsuit Vs. SAIC

Harris & Ruble, a class-action law firm based in Los Angeles, announced their filing of a class-action lawsuit against Science Applications International Corporation, Inc. (SAIC), a TRICARE Management Authority contractor, alleging the company did not properly safeguard medical information for an estimated 4.9 million military clinic and hospital patients affected by the mid-September 2011 theft of computer backup tapes from the unattended personal vehicle of an SAIC employee.

Filed in the United States District Court for the Northern District of California, the class-action lawsuit alleges that SAIC was negligent in protecting patient information stored on backup tapes and that SAIC failed to properly notify patients within the time frame required by law.

In September 2011, backup tapes with unencrypted patient data were stolen when left in an SAIC employee’s personal vehicle parked in an unattended public garage. SAIC has already had six prior security breaches concerning sensitive private information-one being a similar security breach in which computer backup tapes were stolen. Patients only learned of the security breach two months after the release of information, when notices were belatedly sent by SAIC in November 2011.

The backup tapes contained electronic healthcare records used in the military health system to capture patient data from 1992 through September 7, 2011. The stolen data includes personal health information consisting of patient information for filling pharmacy prescriptions, laboratory workups, Social Security numbers, addresses, telephone numbers, and some personal health data, such as clinical notes, laboratory tests, prescriptions, and other health information.

SAIC "utterly failed to protect private medical information for the millions of patients who entrusted it with their healthcare and private information," said Attorney Alan Harris. "Securing encrypting technology was not a priority for SAIC and now patients will have to worry about what medical or other private information is out there for others to view. SAIC’s statement that it withheld information about the breach from patients so as not to raise undue alarm among its beneficiaries is simply inexcusable. That SAIC is now, after the fact, reviewing its data-protection security policies to prevent similar breaches in the future does not excuse the failure to safeguard the confidential information that has already been disclosed."