In its continued response to the criminal theft of computer equipment and personal identification information contained on some of this equipment, the Department of Defense announced today additional steps to enhance patient protection from unauthorized access to or criminal use of sensitive personal information.
Dr. William Winkenwerder, Jr., assistant secretary of defense for health affairs, stated that "Trust remains the bedrock of a successful doctor-patient relationship and the expectations that our service members, retirees and families rightly have. Electronic sharing of health care information provides great advances in patient safety, in reduced errors in claims processing, and in improved customer service. But, there are risks in electronic communications that must be identified and measures implemented to prevent or manage those risks.
"Working with our contractor, TriWest, I am pleased to report that we have initiated contact with all 562,000 beneficiaries who had their personal information stolen. These efforts to quickly identify and inform beneficiaries should help deter or prevent identify theft crimes." Winkenwerder cited a number of steps taken to inform and help beneficiaries protect themselves from criminal use of their personal information.
* All 562,000 military beneficiaries whose information was contained on the computer files have been notified by mail of the theft as of December 31, 2002, and informed of the actions they should take to protect themselves from identify theft or other misuse of their personal information. * Fewer than 25 persons also may have had personal credit card information compromised. Each of these individuals has been contacted by phone and informed of the incident and proper actions to take in response. * Every TRICARE contractor worldwide has been notified of the theft, and directed by DoD to conduct an assessment of information security procedures. DoD will evaluate each assessment with its contractors. * The criminal investigation remains active, led by the Defense Criminal Investigative Service and supported by the US Attorney in Phoenix, the Federal Bureau of Investigation, and other law enforcement agencies. A $100,000 reward has been posted by TriWest for information leading to the arrest and successful prosecution of the perpetrators and return of the stolen items.
Winkenwerder stated that he has focused efforts on heightening information security throughout the health care system. "Although this incident has raised patient concerns about the security of their military medical records, there is no connection with this criminal theft and the military's computerized health care records," Winkenwerder reported. "Our new health records system, known as CHCS-II, has security built into the basic design, and security is continually reassessed. Cutting edge data encryption and a high level of physical protection at a secure government location provide a solid security framework to that program. Nonetheless, we are taking additional steps to heighten information security throughout our health care system."
These steps include: * A world-wide health care information security assessment will be conducted at every military treatment facility and contractor location to review existing procedures and to ensure physical security of sensitive information. * A health information security task force comprised of DoD and Service medical leaders and information system experts will assemble next week, consult with TRICARE contractor representatives, and recommend any additional requirements for information security. * New health information systems to be introduced in the coming months will be compliant with or exceed the Health Insurance Portability and Accountability Act (HIPAA) legal requirements for protection of patient information.
"I am confident that the steps we have taken and will take in the coming weeks and months, will provide an exceptional level of security and protection of personal and medical information for those served by the Military Health System," said Winkenwerder.