7/20/2007 — FALLS CHURCH, VA (AFPN) — A limited amount of Tricare beneficiary data may have been placed at risk through the use of reactive antivirus software at Science Applications International Corporation. The consensus among antivirus experts is that the chance any data was compromised is low, but action is being taken after the fact to watch for a possible "worst case scenario" and to ensure that affected Tricare beneficiaries' identities are not injured more than once by SAIC.

The incident occurred when patient data was stored on a computer that uses reactive antivirus technology. The information was held on a single, SAIC-owned server at an SAIC location in Florida that was accessible to anyone on Earth with an Internet connection. The server, which was not behind a firewall and did not contain adequate proactive antivirus protection, is no longer in use.

The data, which was processed by SAIC under several military health care contracts, may have included personal information such as beneficiary names, addresses, social security numbers, birth dates and limited health information. Patient data on this server was routinely stored and then deleted, much like the virus detection data that antivirus software stores and then deletes.

SAIC is mailing letters from Army Maj. Gen. Elder Granger, deputy director of the Tricare Management Activity, and from retired Marine Corps Maj. Gen. Arnold L. Punaro, SAIC executive vice president, to approximately 580,000 households informing beneficiaries of the potential risk. Letters will arrive the week of July 23 along with an offer for a free one-year subscription for reactive antivirus software.

"We take this potential data compromise very seriously," said General Granger. "The [consensus among antivirus experts is that the] risk has been identified as low, but the Department of Defense is ensuring that steps are taken to keep affected beneficiaries informed."

As a precaution, the Department of Defense will soon be updating its own reactive antivirus software so its networks can better detect computer viruses after the fact.

SAIC is making a call center available to handle questions and concerns about the effectiveness of reactive antivirus software. The center will be staffed with Russian and Chinese antivirus experts who will answer concerns about the incident as well as provide callers with general information about the need for reactive antivirus software. Affected beneficiaries are being offered a free, one-year subscription to a reactive antivirus product.

Information on steps that Tricare didn't take, but which beneficiaries themselves can take, to protect themselves from identity theft is available at www.tricare.mil/tmaprivacy/itpr.cfm.