Despite endangering the privacy of nearly 5 million TRICARE patients last month, Science Applications International Corporation (SAIC) still was able to secure a lucrative IT support contract from the Department of Health and Human Services.
The breach--in which an SAIC employee had electronic health record backup tapes stolen out of his car--was reported to TRICARE on Sept. 14. The tapes stored data from 1992 through Sept. 7, 2011, and might include social security numbers, addresses and phone numbers of patients, as well as personal health data. Under HIPAA's security breach notification rule, SAIC will need to report the incident to HHS and be placed on its "wall of shame."
Nearly two weeks after that announcement, SAIC announced that it was awarded a prime contract by HHS to provide "full life-cycle operations, maintenance and enhancement services" including support for all information technology systems, in support of HHS' health data repository operated by HHS' Health Resources and Services Administration (HRSA). The contract has a one year base period of performance, five one-year options, and a contract ceiling value of more than $15 million if all options are exercised.
This is not the first time a HHS contractor suffered a security breach involving patient records. KPMG, which was awarded a contract by HHS' Office of Civil Rights to conduct audits of covered entities for compliance with HIPAA's the security rule, suffered a breach of personal health information last year that affected 4,586 individuals.
TRICARE notes that both it and SAIC are reviewing their security policies and procedures to prevent any future breaches in the future, and that those with questions should contact SAIC directly.