Feb 06 2007
By ANNA VELASCO
The Department of Veterans Affairs has no information yet to conclude that thousands of patient records missing from the VA Medical Center in Birmingham since Jan. 22 have been misused, officials with the VA in Washington said Monday.
Criminal and administrative investigations were launched Jan. 23 about a missing hard drive. It was reported missing by a VA employee involved in medical research who had used it to back up his or her records, VA officials said.
Those officials said they cannot yet say what type of information the records contained. Neither have they offered details of the hard drive's disappearance.
U.S. Rep. Spencer Bachus, R-Vestavia, announced late Friday that he had learned as many as 48,000 veterans' records were involved, 20,000 of which were not encrypted to protect personal information. The VA said it cannot confirm those numbers.
Since Friday, members of the Alabama congressional delegation have expressed dismay that they were not notified of the problem sooner and that an announcement alerting the public was not issued until 11 days after the hard drive's loss was discovered.
"If the federal government were to learn that information of Walter Reed Hospital (in Washington) had been compromised and that records of members of Congress and presidents and vice presidents had been taken, I assure you the first instinct would have been to immediately notify those affected," said U.S. Rep. Artur Davis, D-Birmingham, at a press conference in Birmingham on Monday morning.
Davis said he would push for a measure that would require the Veterans Administration to notify patients if their records were jeopardized.
The VA Office of Inspector General started an investigation immediately, and the FBI quickly became involved, said Matt Burns, a spokesman with the VA's headquarters. The VA will notify affected veterans directly by mail as soon as the investigation allows, Burns said.
"We're concerned that the veterans are notified, and we'll do everything we can to help them."
The VA has said it will offer free credit monitoring for a year for affected patients.
The Birmingham incident comes on the heels of a much larger VA security breach last year that involved a stolen laptop and external hard drive with information on 26.5 million veterans. The stolen items were recovered, but the incident prompted the VA to contract with a company to encrypt about 300,000 personal computers and mobile devices.
Congress passed a law in December that requires additional security training for VA employees, risk assessments and testing of information security.
Given those changes, Bachus said he didn't understand why all the data wasn't encrypted and how it could have been taken.
"Clearly there is some sort of a disconnect between veteran officials in Washington and in the field," Bachus said in a written statement Monday. "I hope Secretary (Jim) Nicholson will identify that disconnect and move swiftly to correct it."
Burns said the VA's administrative investigation is working to answer those questions. Preliminary reports indicate violations of department regulations and requirements, he said.
"The department has taken additional steps to bolster protection of IT in the last year," Burns said. "This is not an excuse, but you're talking about 235,000 employees that need to be trained. We are working to change a culture of a large agency."
U.S. Sen. Richard Shelby said he was bothered that the VA did not directly notify him or other members of the Alabama delegation.
"It is extremely troubling that such data breaches continue to occur within the Veterans Administration," the Republican senator said in a written statement. "Those individuals who have risked life and limb deserve to know that their personal information is being protected, and the willful disregard with which these databases are being treated is inexcusable."
The VA's budget request for next fiscal year provides $70.1 million for cyber security to support the Department's objective to become "the gold standard" in IT security. Washington correspondent Mary Orndorff contributed to this report. firstname.lastname@example.org