Feb 06 2007

VA’s data security under fire

Tuscaloosa News

By Dana Beyerle


Alabama’s members of Congress came down hard Monday on the Department of Veterans Affairs for the loss of an employee computer hard drive at the Birmingham VA hospital.

The hard drive may have contained information on up to 48,000 military veterans.

U.S. Sen. Richard Shelby,R-Tuscaloosa, and U.S. Reps. Spencer Bachus, R-Vestavia Hills, Bud Cramer, D-Huntsville, and Artur Davis, D-Birmingham, said they want answers about VA security measures that were supposed to have been in place since last year’s theft of a VA computer in Maryland, resulting in the loss of thousands of veterans’ personal information.

“It is extremely troubling that such data breaches continue to occur within the Veterans Administration," Shelby said in a statement. “Those individuals who have risked life and limb deserve to know that their personal information is being protected and the willful disregard with which these databases are being treated is inexcusable."

Davis said he is writing VA secretary James Nicholson.

“It should be held to a better standard than the private sector, not a lesser standard," Davis said. “This is a continuous problem of veterans who go into the VA."

While the VA notified the authorities under federal law, it did not notify the public.

Davis said the hard drive was taken on Jan. 22 but wasn’t reported until Feb. 2, an 11-day delay that he said ended when the VA suspected the media was about to report it.

“It appears the VA knew of the breach within 24 hours of the incident occurring on the 22nd." Davis said.

The VA reported that a hard drive belonging to a “mid-level career" employee at the Birmingham VA hospital may have been stolen. Nicholson said the VA Office of Inspector General and the FBI are conducting “a thorough investigation."

VA spokesman Matt Burns said some policies may not have been followed.

“Based on the initial findings of our continuing investigation, VA believes that encryption procedures were not strictly followed," he said. “VA requires that sensitive information about veterans be physically secured when not in use, and that such data be kept in a secure, encrypted environment when stored.

Burns said that “only under certain circumstances are employees authorized to take removable media from the workplace."

VA spokesman Jeff Hester said he isn’t sure how many veterans in the Tuscaloosa area may have been among those who had private information contained on the missing hard drive.

Wayne Puckett, commander of the American Legion Post 123 in Tuscaloosa, said he’s been in contact with national and state veteran affairs officials about the incident.

“I wish they’d get it back," he said. “I’ve had two more calls from veterans. I don’t like it one bit."

Nicholson said the VA Office of Information and Technology is investigating. “We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved," he said.

The hard drive was used to back up information on an employee’s office computer and may have held research data. The employee said the hard drive may have contained veterans’ personal information but, according to reports, “asserts" that portions of the data were protected.

Bachus said there appears to be a disconnect between veterans officials in Washington and in the field. “I hope Secretary Nicholson will identify that disconnect and move swiftly to correct it," Bachus said.

Legislators are upset that the VA did not inform members of the Alabama congressional delegation. “I am troubled that absent a specific statutory reporting requirement, the Veterans Administration had no apparent intention to notify those members of Congress representing many of these constituents," Shelby said.

Veterans are advised to review their financial records to ensure their personal in-formation hasn’t been stolen.

“I am outraged that once again the VA must explain why the personal information of veterans in Alabama may have been stolen," said Cramer. “The VA needs to immediately inform those that may be affected by this situation and take steps to prevent identity theft."

The theft of a VA computer last year from a Montgomery County, Md., residence, resulted in two arrests and guilty pleas, Maryland state’s attorney spokesman John McLane said.

Bachus questioned whether lessons were learned from last year’s theft.

“First, why were the records of 20,000 veterans apparently not encrypted?" Bachus asked. “Second, why did this incident happen at all, given the fact that the VA already has the guidelines and tools needed to prevent such breaches?"

Nicholson also wondered whether that theft and resulting policy changes made any difference. “We have made considerable progress, but establishing a culture that always puts the safekeeping of veterans’ personal information first is no easy task," he said.

After last year’s theft, the VA promised a year’s free credit reporting for anyone affected, at a reported cost of $160 million. The offer was withdrawn after it was determined there had been no breach of private information by the suspects, VA spokesman Matt Burns said.

A $50,000 reward led to a tip that produced the arrests. Burns said no reward has yet been offered in this case.