TriWest Healthcare Alliance officials notified 11,844 beneficiaries of a data breach that may have affected their protected health information.
In a letter to one beneficiary dated July 2 and provided to Military Times, TriWest officials said they had discovered a security incident April 16, in which an unauthorized person gained limited, unauthorized access to TriWest information and downloaded it.
“We are unaware of any misuse of your information,” officials stated in the letter, but they went on to say TriWest is offering a free credit-monitoring service for those who feel it’s needed.
The unauthorized person obtained health-related and other personal information, specifically names, Department of Defense Benefits Numbers and beneficiaries’ ZIP codes. Officials said that in fewer than five instances, the information also included Social Security numbers, addresses and dates of birth.
About four million beneficiaries are covered by TriWest, the managed care contractor for the Tricare West Region. Active duty, retired, National Guard and Reserve, and their family members, survivors and certain former spouses receive their health care under DoD’s Tricare program, with eligibility determined by the Defense Enrollment Eligibility Reporting System, or DEERS.
TriWest is notifying each beneficiary about what information was involved in their specific case.
The timing of the notifications was unclear, since at least one letter was dated July 2, about two and a half months after the incident occurred.
“With regard to timing, as soon as the incident was discovered, TriWest took immediate action to prevent any further unauthorized activity and worked diligently with the government to notify affected individuals, consistent with applicable law and notification timelines,” TriWest officials said in an email response to Military Times.
The company hired a third-party forensic expert to review what information was accessed during the incident.
Beneficiaries who want to use the free credit-monitoring service, offered through Experian for 24 months, should enroll by the deadline provided in their notification letter, using the activation code and instructions included in the letter.
Those who find suspicious activity should notify the TriWest Healthcare Alliance Breach Response Line, at 1-833-918-1296. Beneficiaries who believe they are victims of identity theft should file a report with the Federal Trade Commission at identitytheft.gov.
The company has taken steps to prevent any other such incidents, officials said, including increasing security controls related to password resets, strengthening system access monitoring tools and providing additional employee education on identifying and mitigating the different types of cyber attacks.
Karen has covered military families, quality of life and consumer issues for Military Times for more than 30 years, and is co-author of a chapter on media coverage of military families in the book “A Battle Plan for Supporting Military Families.” She previously worked for newspapers in Guam, Norfolk, Jacksonville, Fla., and Athens, Ga.
Read the full article here
