Credit monitoring? Identity theft protection? Wouldn't it have been cheaper to just encrypt the data?
December 29, 2011 4:06 PM   Subscribe

A few months ago, SAIC lost a backup tape with the names, social security numbers, addresses, and medical treatment information of roughly 5 million TRICARE patients in the San Antonio, TX area between 1992 and 2011. My name was amongst them, and I'm being offered a year of "credit monitoring and restoration services" as compensation. Are there any downsides to taking it? Any real upsides?

TRICARE's FAQ on the breach is at, and the credit monitoring is being offered through Kroll Fraud Solutions.

I'm a debt-free young adult with good credit, and I don't anticipate needing significant loans or financing for the next few years. I make a point to pull a report from every six months, but beyond that, I don't have any experience with credit monitoring.

Are there any downsides to taking the offer, such as weird side-effects that could lower my credit score? On the other hand, are there any real upsides to accepting the offer? My records would have been from roughly 15-18 years ago, when I was still in grade school.

posted by SemiSophos to Work & Money (9 answers total) 1 user marked this as a favorite
I'd refuse it. What you're being offered is a free trial in hopes you renew for a fee after a year. It's the classic non-compensation.
posted by Nelson at 4:19 PM on December 29, 2011

Best answer: What you're being offered is a free trial in hopes you renew for a fee after a year. It's the classic non-compensation.

Actually it's not, and I have no idea where the free trial part is from. Under federal guidelines, a PHI breach like this forces the company (hospital) to notify the potentially affected patients. I don't know if it is federally regulated to offer credit monitoring, but I know most HIPAA breaches do offer it. It's up to you if you want to take it, the letter should have contained a code to access it.

In terms of downsides to credit score, soft inquiries such as pulling your credit report generally don't affect the score at all. Pulling it multiple times every day may be a different story, but pulling it weekly/monthly/quarterly; your fine. I would do it, worst case scenario, you get to review the accuracy of your credit report but from reading the breach FAQ, it looks like the data was pretty well encrypted, so I don't think your going to have anything to worry about.
posted by lpcxa0 at 4:29 PM on December 29, 2011

Don't take it.

Because if you do, you will almost certainly give up the right to any further compensation by accepting their offer.

Suppose, for example, you do take it, and it turns out later potential employers are getting access to those records and you suddenly have trouble getting certain jobs, or perhaps a security clearance, due to something someone found there.

If that happens and you find out about it, you might get significant compensation, but not if you've accepted this piddling offer.
posted by jamjam at 4:57 PM on December 29, 2011

Something similar happened to me and I accepted the offer. I wasn't all that worried about my encrypted data being used for ill purposes, and since I'm kind of a slacker at monitoring my own credit, it seemed like a fine idea.

I never regretted it. I got monthly emails with updates (that were accurate, as they noticed all the change of addresses when I moved) and I was never pressured to renew once it lapsed. I can see how for some people it might not be ideal, but for me it was absolutely fine.
posted by Bella Sebastian at 5:15 PM on December 29, 2011

Response by poster: Because if you do, you will almost certainly give up the right to any further compensation by accepting their offer.

The letter I got in the mail is extremely brief, and contains virtually no legalese. It definitely does not mention waiving any rights, being barred from participating in legal action, or accepting their offer as fair compensation.

As far as I can tell, it's completely unilateral, and wouldn't otherwise affect me.
posted by SemiSophos at 6:02 PM on December 29, 2011

This happened last year after a breach at one of the student loan processors, and the credit protection offer was pretty much unilateral: they did a bit of a sell at the end of the year's monitoring, but it wasn't like the skeezy "free trial" offers that take payment details and hope that you forget when it's time to renew, or make it hard to cancel. It just timed out after the year.

Given that data protection laws in the US are fundamentally pathetic, I'd take it, because even if there's parallel litigation, it'll probably end up as a crappy class action suit that's settled in a way that pays the lawyers several million dollars, a few litigants a few thousand dollars, and everyone else... a year's credit monitoring as compensation.
posted by holgate at 7:23 PM on December 29, 2011

Interestingly enough my "free" year of monitoring just ended (similar situation, University records lost). The University sent me a letter saying we've paid for this service, with instructions on how to sign up.

Once a month they would email me a request to login to see my current notifications. Of note, when I applied for a car loan I got about 30 emails in 3 days. And, for "privacy", none of the emails contain any information, just a request to login and see the notifications.

Now that my paid year is up, I did receive about a dozen emails and three letters requesting I renew their service.

To answer your questions: Are there any downsides to taking it? Not really. Any real upsides? Yes, in the remote chance your identity is stolen in the next year, you'll know about it immediately.

My advice, take it.
posted by zinon at 11:24 PM on December 29, 2011

I am not a lawyer. I am an information security professional responsible for some legal compliance issues.

This is largely unrelated to HIPAA and the HITECH act (HITECH strengthened HIPAA this year). All these laws do is require your notification. Completed.

Every state in the union also has a law on the books related to identity theft. Hawaii and the US House of Reps are looking at adding laws that mandate credit monitoring to theft victims, but nothing is mandatory at the moment.

So why is this offered? Because it makes the organization look like it's doing something for its customers. If, as you mention, there is no language related to waiving of rights (which would be highly unusual and be a PR nightmare), there's little downside to accepting.
posted by bfranklin at 1:59 AM on December 30, 2011

Response by poster: Since it doesn't sound like there are any downsides, and there's a small but non-zero chance of there being an upside, I'm going to go ahead and sign up for the monitoring. Thanks everyone!
posted by SemiSophos at 2:00 PM on December 30, 2011

« Older How does one actually succeed in dating?   |   Please help me stop my blankets from shedding like... Newer »
This thread is closed to new comments.