A group of veterans has hit the US Department of Defense with a class action lawsuit worth $4.9 billion, after the4.9 million sensitive health records were stolen from a contractor’s car.

The records were contained in back-up tapes stolen from the parked car of an employee Science Applications International Corp., a contractor for the military veterarns healthcare provider Tricare. The stolen information included social security numbers, addresses and phone numbers, as well as personal health information, covering a period from 1992 to September this year. The incident was reported to police in September.

Tricare and Defense Secretary Leon Panetta are named as defendants in the veterans’ lawsuit. It alleges that Tricare "flagrantly disregarded" privacy rights by failing to take the necessary precautions to protect identities. According to the suit, the stolen data was "unprotected, easily copied [and Tricare] inexplicably failed to encrypt the information".

Meanwhile, the US Securities and Exchange Commission released new guidelines last week for public companies that suffer data breaches. The guidelines call on listed companies to disclose specific details of any cyber attacks on their IT infrastructure, short of giving would-be hackers enough information to repeat the attacks.

"If a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur," the SEC said, adding that companies may need to "discuss the occurrence of the specific attack".