David J. McIntyre Jr., president of TriWest Healthcare Alliance, says he knows a lot more about identity theft today than he did six months ago when it rocked his company and left 570,000 TRICARE beneficiaries feeling violated and vulnerable.

TriWest, support contractor for TRICARE in its 16-state Central Region, discovered Dec. 16 that computer equipment with enrollee information and claims data had been stolen from its rental offices in a Phoenix suburb. Thieves had gained access to the property manager's office, stolen an electronic passkey for offices housing TriWest's bank of computers, and made off with every name, address, Social Security number, birth date, and other information on beneficiaries in the Central Region back through October 1999.

States in the region are Arizona, Colorado, Idaho, Iowa, Kansas, Minnesota, Missouri, Montana, Nebraska, Nevada, New Mexico, North Dakota, South Dakota, Utah, Wyoming, and the most western tip of Texas, including El Paso. Identity theft victims included Gen. Richard Myers, USAF, chairman of the Joint Chiefs, who had served as commander of the U.S. Space Command at Peterson Air Force Base, Colo., until February 2000.

"We were devastated by this event," McIntyre told members of the House Financial Services Committee in April. He urged tougher penalties for identity theft than the current maximum federal punishment of five years in prison and a $250,000 fine.

By early April, TriWest had spent $1 million on the case, which included mailing three separate letters to beneficiaries explaining the theft and sharing advice on protecting identities and assets. TriWest also posted a $100,000 reward for information leading to an arrest and conviction. About 63,000 beneficiaries have used TriWest's Web site (www.triwest.com) to place a fraud alert with credit bureaus.

"We're not done," McIntyre vowed. "We cannot take our eyes off this issue ... till either the perpetrator is caught, or we in the Defense Department are collectively convinced there is no more risk to the consumer from this [stolen] information."

TriWest itself faces more risks. The burglary occurred as the company prepared to compete for an even larger "next generation" TRICARE support contract to be awarded next year. The company also faces a lawsuit filed in U.S. District Court in Phoenix by an Army officer and his wife. Their attorney, M. David Karnas of Tucson, told the Arizona Daily Star he wants it to be class action on behalf of all TriWest beneficiaries and is seeking damages "in the millions" for negligence in protecting privacy interests of beneficiaries.

McIntyre described the break-in as "sophisticated." He said any organization is obligated to inform customers when personal information is compromised.

"It's painful. It's awkward. It's embarrassing. It's expensive," he told lawmakers. "But you know what? It's not our information, and unless you arm the consumer with that information, they cannot protect themselves."

That approach won praise from committee members including Republican Rep. John Shadegg, whose district includes Phoenix. He called TriWest "a positive model for other ... victims of information theft."

However, Evan Hendricks, publisher of Privacy Times, a Washington D.C.-based newsletter, testified that the TriWest break in "illustrates how an organization that had every reason to take reasonable steps to safeguard data security didn't."

Hendricks also criticized TriWest for using Social Security numbers to identify beneficiaries but defense officials confirmed that's a department requirement which would be difficult and costly to change.

By early May, law enforcement officials had no report of the stolen data being used for financial mischief. However, given the scope of the investigation, which involves federal and local authorities, agencies expected the thieves to move cautiously. The potential impact on national security and servicemember safety remained concerns.

"The unfortunate event at TriWest was a wake-up call," said Dr. William Winkenwerder, assistant secretary of defense for health affairs. Since December, he said, TRICARE has strengthened privacy protection for all beneficiaries.

Tom Philpott is a freelance writer and syndicated news columnist. His column, "Military Update," appears in 48 daily newspapers throughout the United States and overseas. His book, Glory Denied: The Saga of Jim Thompson, America's Longest-Held POW (W.W. Norton & Co., 2001), now is available in paperback (Plume, 2002).