Five members of the House of Representatives have sent a letter to TRICARE Management Authority concerning the recent SAIC breach that affected over 4.9 million members of the military and their dependents.
In a series of questions, the legislators ask for details as to TRICARE’s policies and, in particular, any policies or contracts it had for SAIC. Noting that SAIC had experienced at least six prior breaches, they also ask what steps TMA took since these breaches and what steps it will take to prevent future incidents.
Actually, this is a killer letter that I encourage you to read in its entirety. Kudos to Reps. Markey, Barton, DeGette, Stearns, and Andrews for asking the right questions – including why TMA continued and continues to deal with SAIC in light of its track record.
I can’t wait to see the answers, which they’ve requested be provided by February 22.
In a press release today, Deborah Peel, M.D., of Patient Privacy Rights, said:
The fact that SAIC has continued to get billions in funds from the federal government despite repeated breaches of sensitive health information shows also that the federal process of awarding, monitoring and auditing, and assuring performance of billion-dollar contracts needs investigation.
Providers, healthcare organizations, and technology companies that do not use state-of-the-art data security for health information should not be allowed towork in the healthcare field. If you are unwilling to protect patient data, you don’t belong in healthcare.
The SAIC letter I received about this was quite lengthy and basically said, we’re sorry. We take this sort of thing very seriously (yep, sure) and we are offering you a measly 1 year ID theft program. Call them if you need anything.
The letter didnt have a return address for SAIC, nor any phone or email contacts. I perceived this as a “washing their hands of the issue”, and passing the buck to the ID theft monitoring company to clean up their cesspool of an issue.
Companies that wish to take the cash and take no responsibilities for issues that occur time and time again should be banned for a period of time from ANY Federal, Government, Military or State sponsored work. They would have plkenty of time to clean up their own act. Then they have to fill out the red tape and wait. Then, the government can decide whether or not to allow the compnay to re-enter. If they are, they have to pay for a 3rd party auditing process to include a new Certification and Accreditation package, all chosen by the government, and at the expense of the company in question. The company makes the issue a problem for the individuals – why can’t the government make it painful for the organization at fault?
Simply fining them isn’t enough. They pay the fine. They may have to reduce the amount of expenditures and security might get a slight boost in capital, but honestly, things may change on paper, but unless the company makes a WOW statement by a widespread firing those who are directly and ultimately responsible, no one will notice or care. It would more than likely be status quo as soon as the media fire dies down.
Kudos to those that have put the company’s feet to the fire. One issue down, not move onto another of equal size… reduce the amount of major issues, and I am sure the smaller ones are looking up seeing the mass heading their way and might even have the initiative to do something on their own. = X