On December 14, 2002, someone broke into the offices of TriWest Healthcare Alliance and stole all its computer hard drives containing information on 562,000 members of the military located in Arizona, Colorado, Idaho, Iowa, Kansas, Minnesota, Missouri, Montana, Nebraska, Nevada, New Mexico, North Dakota, South Dakota, Utah, Wyoming, and western Texas. The information contained names, addresses, phone numbers, Social Security numbers, claims data, birth dates, duty stations, medical records, credit card numbers, and other information on active-duty military personnel and their dependents and retirees enrolled in TriCare through TriWest Healthcare Alliance Corporation, a managed care support contractor.
It is possible the thief was simply looking for an easy target. TriWest’s offices in Phoenix were so insecure that electronic door records show the thief made two trips into and out of the area. The thief’s identity remains unknown, in part because the office was not even protected by surveillance cameras.
But while it is natural to think of this only in terms of identity theft and the havoc this would cause those whose information has been stolen, it is possible the motives may have been more treacherous. It is likely that many of the military beneficiaries were preparing to be deployed to the Middle East in preparation for the war on Iraq. Someone who wanted to seek revenge on those involved and potentially weaken the resolve of the military in an invasion could use information to locate spouses and children and kidnap them or terrorize and then kill them. So far nothing so terrible has happened. Indeed, some suggest that identity theft may be used in a more benign way simply to finance terrorism.
Although the TriWest theft may be a worst-case scenario for contracting out information gathering and IT technology, it is not unique. Federal agencies planned to outsource thirty-three percent of their information technology projects in 2003. Recently the federal government subcontracted the Defense Civilian Personnel Data System, which is essentially the human resources department for its civilian employees. That subcontractor immediately re-subcontracted parts of the work to yet another firm.
Again, what a treasure trove of information – home addresses and phone numbers, spouse’s names, children’s names, schools, and social security numbers, e-mail addresses, information about past employment and education, health records and disciplinary actions— whole lives and their intimate details laid out for the lucky person given access to it.
A terrorist or a criminal would rejoice in such great fortune. This information could be used for nefarious purposes such as identity theft – something that could net the perpetrator millions of dollars to fund the thief’s projects. Even more worrisome is the possibility for blackmail to gain access to and control over employees in this critical department.
Maybe terrorists and criminals don’t think this way. Or perhaps they do. If they do, the government needs to get serious about protecting the valuable, and potentially dangerous, information it collects about each of us.
Once out of the government’s sole control, opportunities for access multiply. Information can and does make its way around the world with the speed of light. U.S. companies use workers in countries such as India or Ireland to handle data because they speak English, are educated, and will work for a fraction of the salary of U.S. workers. But those cheap workers may come at a steep price. Every time information is transferred there is an opportunity to divert it. Given the nature of information in electronic form, these diversions may be hard to detect.
Despite what we have learned recently about how critical information technology is, how easily it can be misused, and how expensive that misuse can be, both federal and state governments are pursuing a course of privatizing information that seems to know no bounds. On July 21, 2004, Office of Management and Budget Deputy Director Clay Johnson identified information technology as a “real hotspot” for subcontracting when he spoke at a conference sponsored by the Contract Services Association of America. Of the $60 billion the White House has requested for IT hardware, software, and services in FY 2005. In FY 2004, the federal government spent $58.6 billion for private contractors to provide IT systems and services. Consulting firm Input predicts that figure will grow annually at a rate of 6.6% to $80.7 billion in FY 2009.
The Reason Public Policy Institute (RPPI) reports that private companies now have contracts to provide a wide range of services that involve generating and collecting highly personal information. These include social and mental health services; education, medication’* and psychiatric services; unemployment benefits processing; accounting and information technology; legal services; permit application, payment of taxes or fines, and car registration. Add to these, contracts that relate more directly to IT services. Again, according to RPPI, the Treasury Department has contracted out its “information technology services, including networks, LANs, desktop computer setups, help desk support, and system administration.” Pennsylvania announced that it would consolidate and outsource all its agencies’ data centers. Connecticut said it wanted to turn over all its IT functions to the private sector, because information technology was not seen as a core government function.
In early 2003, the federal government announced plans to contract out the collection of back taxes. In a 1996 test of private tax debt collection, contractors violated the Fair Debt Collection Practices Act and did not protect the security of sensitive taxpayer information. In addition, a Treasury Inspector General for Tax Administration report expressed concerns with the IRS’s contract administration and oversight of contractors based on
reports and investigations of alleged criminal or civil misconduct in the procurement area in the last three years, including: contract workers at one lockbox bank losing or destroying more than 70,000 taxpayer remittances worth more than $1.2 billion; an IRS employee ensuring certain companies would receive contracts in exchange for illegal payments; and a contractor not being in compliance with the terms of its contract, which resulted in increased security risk at some IRS locations.
A March 22, 2004 investigation found that an IRS “contractor’s employees committed numerous security violations that placed IRS equipment and taxpayer data at risk. In some cases, contractors blatantly circumvented IRS policies and procedures even when security personnel identified inappropriate practices.”
This transfer of important functions from public to private control should be at the center of national debate. It affects our national security, our personal security, and our finances. Yet there has been deafening silence – except from privatization ideologues that cheerlead every movement from public to private control. But the time has come for national debate on this issue.