TRICARE Hit with $4.9 Billion Suit Following Breach

Following a huge breach of protected health information from TRICARE, the insurer for the military health system, a $4.9 billion lawsuit seeking class action status for 4.9 million affected individuals has been filed.

The suit, seeking $1,000 for each affected individual, accuses TRICARE, the Department of Defense, and Defense Secretary Leon Panetta of violating the federal Administrative Procedures Act and the federal Privacy Act of 1974.

The suit follows TRICARE's Sept. 29 announcement that contractor Science Applications International Corp. reported the stealing from a car of back-up tapes containing protected information on patients treated in San Antonio military facilities between 1992 and Sept. 7, 2011. Information on the tapes included names, addresses, phone numbers, clinical notes, laboratory tests, prescriptions and Social Security numbers.

SAIC reported loss of the tapes to TRICARE on Sept. 14 and patient notifications started on or around Sept. 29. The lawsuit contends that TRICARE's operations manual requires notification not later than 10 days after discovery. The suit also alleges that Defense has been "repeatedly informed of recurring, systemic, and fundamental deficiencies in its information security, but has failed to effectively respond."

Four individuals--a military spouse and her two children in Virginia, and an Air Force veteran in Arizona--filed the suit. The law firm representing the plaintiffs is Shulman, Rogers, Gandal, Pordy & Ecker in Potomac, Md.

TRICARE is presently not offering free credit and fraud protection services, but recently said further investigation will determine whether safeguards are necessary. If credit and fraud protection services are offered, SAIC will pay the costs.

The lawsuit asserts the two adult plaintiffs initiating legal action have incurred economic loss by purchasing credit monitoring services on their own, and they and the children have "suffered emotional upset" because of the invasion of privacy. ComputerWorld magazine recently noted that several courts have ruled that consumers cannot claim damages in a breach case unless they can demonstrate actual financial loss.

The TRICARE lawsuit asks for 11 orders from the court, including:

* Ruling that defendants TRICARE and Defense violated and continue to violate patient rights under federal laws,

* Awarding damages of $1,000 for each adversely affected individual,

* Providing affected individuals with free credit monitoring services and reimbursement to those who have purchased such services, as well as assistance with any credit-related or emotional harm,

* Prohibiting defendants from transporting any confidential records by non-secure means and unless the records are properly encrypted,

* Requiring defendants to set up proper systems and procedures to maintain the privacy of protected information, and

* Prohibiting defendants and SAIC from transferring any records until an independent expert panel finds that adequate information security has been established.

The class action suit against TRICARE and Defense is the second recent legal class action case filed against a covered entity following a breach. Stanford Hospital and Clinics says it will fight a $20 million lawsuit filed after protected health information for approximately 20,000 patients was found on a public Web site. That suit also seeks $1,000 for each affected individual.

TRICARE does not comment on potential or actual litigation, according to a spokesperson. For a copy of the lawsuit filed against TRICARE and Defense, send an e-mail to


For reprint and licensing requests for this article, click here.