Victims of TRICARE data theft report financial fraud

Last fall, not long after someone stole computer tapes containing the health records of 4.9 million TRICARE beneficiaries, some of the victims discovered bogus charges on their credit card statements and unauthorized bank transactions.

The tapes were stolen in September 2011 from the car of an employee with TRICARE contractor Science Applications International Corp. who was transporting them from one federal facility to another in San Antonio, Texas. The employee left the unencrypted tapes in a parking garage for most of a workday.

In October 2011, the law firm Shulman, Rogers, Gandal, Pordy & Ecker of Potomac, Md., filed a $4.9 billion class action lawsuit against the Defense Department. Since then, Defense or SAIC have been hit with seven additional lawsuits charging the company and the government with negligence in the care of sensitive personal and health information.

In an amended complaint to the original suit against Defense, which now includes SAIC, plaintiffs said they started to notice fraudulent activity in their financial accounts soon after the theft:

-- Virginia Gaffney of Hampton, Va., a TRICARE beneficiary and military spouse, said her USAA credit card was rejected at a restaurant; she later discovered the company had canceled her card due to suspicious activity.

-- Antoinette Morelli, a disabled Air Force veteran of the Gulf War, said she and her husband, a retired Air Force colonel, discovered unauthorized charges on two credit cards and unauthorized withdrawals from two bank accounts.

-- James Biggerman, a retired Army command sergeant major who lives in Shelbyville, Ind., was notified about fraudulent charges on his credit card account shortly after the tape theft and started receiving unsolicited calls from telemarketers and scam artists.

-- Juan Diego Hernandez, a Frisco, Texas, Army veteran noticed unauthorized charges on the credit card account he holds with his wife and spent hours on the phone with the bank resolving the errors.

-- Carol Keller, the Revere, Mass., spouse of a disabled Air Force veteran, said she discovered three separate fraudulent charges against her credit or debit cards since last October.

The amended complaint said TRICARE beneficiaries had to take extensive steps to protect their financial information.

The plaintiffs "had to cancel credit cards and close bank accounts; open new credit cards and bank accounts; stop direct deposits to those compromised accounts and re-enroll in direct deposits for new accounts; stop recurring electronic payments from compromised accounts and re-enroll in electronic payments through new accounts; and otherwise spend time and money in mitigation responding to notifications following the wrongful disclosure that certain financial accounts have been compromised," the complaint said.

Dr. Deborah Peel, founder of the Patient Privacy Rights Advocacy Group in Austin, Texas, said unwanted marketing, credit card cancellation, and identity theft are typical and expected when sensitive, richly detailed personal health data is breached. It could take years to discover the repercussions of stolen medical information, she said.

The new complaint alleges that the theft was targeted. The SAIC employee's car, a 2003 Honda Civic, was parked in a garage that housed many luxury cars, "yet the thief or thieves, who went to great effort to avoid security, did not break into any of the luxury cars in the garage, targeting instead the relatively inexpensive car containing the confidential data."

The complaint added, "The thief or thieves stealthily broke into the employee's Honda Civic and took the unencrypted backup tapes and records, thereby gaining information worth billions of dollars. The nature of this theft supports the logical inference that the thief or thieves were specifically targeting the confidential information contained on the backup tapes and records."

There are currently five separate lawsuits over the TRICARE data theft pending in Washington, one in Texas, another in San Diego, and most recently, one in northern California.

As part of their amended complaint, filing attorneys for the plaintiffs asked to consolidate all eight cases. Arnold & Porter LLP of Washington and Reed Smith LLP, SAIC's attorneys, agreed and filed a motion for consolidation on March 9.