San Diego-based SAIC, which provides scientific, engineering, systems integration and technical services to military and federal government agencies, said that personal information of about 580,000 uniformed military personnel and their family members was placed online while being processed by SAIC under several health care data contracts, according to a statement.
The processing was part of TRICARE, the health benefits program for the uniformed military services, retirees and their families, according to SAIC.
The information exposed varies by individual, the company said. It includes combinations of names, addresses, Social Security numbers, birth dates or limited health information in the form of codes.
Among those impacted are personnel in the Army, Navy, Air Force and Homeland Security.
SAIC said it is working to reduce the potential impact of the security lapse. The company said that, while forensic analysis has not provided evidence that any personal information was compromised, "the possibility cannot be ruled out."
SAIC has developed an "incident response center" and hired Kroll, a risk consulting company, to provide services to military members whose information was exposed. The services include credit and identity restoration help for any victims of related identity theft.
SAIC revealed that it expects the cost of these services to range from $7 million to $9 million, excluding credit restoration services if any identity theft occurs as a result of the exposure.
The company has launched an internal investigation to determine how the security snafu occurred and placed several employees on administrative leave. It has also initiated a risk-assessment program to uncover other possible vulnerabilities and to determine the kinds of changes in policy, methods, tools and monitoring required to avoid future security lapses.