A federal judge has tossed out most of the lawsuits filed against the Defense Department over the theft of personal data belonging to 4.9 million Tricare beneficiaries.
Judge James Boasberg of the U.S. District Court for the District of Columbia dismissed all but two complaints in a consolidated lawsuit, saying the loss of data, without evidence that it was viewed or misused, “does not constitute an injury sufficient to confer standing.”
The suits, which sought damages of totaling $4.9 billion, were filed shortly after several data drives were stolen from a car belonging to a Science Applications International Corp., employee in September 2011.
The contractor was responsible for transporting them to a storage facility when they were stolen.
The theft is the largest loss of personal health care information since the Health and Human Services Department began publicly posting health data breaches affecting more than 500 people.
Boasberg said that in the three years since the theft, there has been little evidence that the information — some of it encrypted — was misused.
“Either the malefactors are extraordinarily patient or no mining of the tapes has occurred,” Boasberg wrote in his May 9 decision.
Although he ruled that two plaintiffs demonstrated enough evidence they had been victims of identify theft and could continue their suits, he raised the possibility that their information was compromised in other breaches and said the remaining plaintiffs did not have the grounds to sue.
After the theft, Tricare Management Activity and SAIC officials estimated that the risk of the data being used for criminal intent was low because the thief needed to possess an in-depth understanding of SAIC’s hardware and software, as well as knowledge of data interpretation.
Boasberg said that the nature of the theft left him convinced the perpetrator was incapable of accessing the information on the tapes.
“The theft from the SAIC employees car was a low-tech, garden variety one. Any inference to the contrary is undermined by the snatching of the GPS and car stereo [which also were taken]. This is hardly a black-ops caper,” Boasberg wrote.
The tapes contained names, addresses, Social Security numbers and other information for patients in 10 states who were seen at military treatment facilities in San Antonio from 1992 to Sept. 7, 2011, and those who filled prescriptions or had lab tests processed at San Antonio-area military health facilities during the same period.