By MARY ORNDORFF
News Washington correspondent
March 01, 2007
WASHINGTON - Department of Veterans Affairs computer data has been
mishandled hundreds of times in the past 10 months and the agency has
not followed multiple rules designed to keep personal information safe,
according to testimony Wednesday before a congressional panel
investigating the security problems.
The most recent incident - a missing hard drive from the Birmingham VA
Medical Center that contained personal, financial and medical data on
about 1.8 million people - is the largest of 46 cases under
investigation by the VA's inspector general.
Also Wednesday, Birmingham VA officials for the first time said the hard
drive was reported stolen from an employee's locked work space, which
previously had been inspected and determined to be secure.
Wednesday's hearing was hastily arranged because of the Birmingham
situation, according to the chairman of the investigations and oversight
subcommittee of the House Veterans Affairs Committee. It revealed a
widespread and systemic security problem in the federal agency that last
year provided health care for more than 5.4 million veterans.
"If the Birmingham incident stood alone against a backdrop of a sound
information security management program, perhaps we could address a
one-time-only incident with more patience," said U.S. Rep. Harry
Mitchell, D-Ariz. "However, the record reflects a host of material
weaknesses ... and the VA is slow to correct these deficiencies."
`Information at risk':
The VA has repeatedly failed audits on its computer security systems,
and 17 recommendations to fix the problem remain unfinished after
several years, according to Maureen Regan, counselor to the VA's
inspector general. Her testimony was a blistering account of the
agency's shortcomings, such as the lack of basic encryption and the lack
of knowledge about how many employees and contractors use non-VA
computers to access VA systems, how many external hard drives are used
or what data is stored on them.
"VA still lacks effective internal controls and accountability which
leaves sensitive information at risk," Regan said in her written
Gregory Wilshusen of the Government Accountability Office reached a
similar conclusion, calling the breaches "remarkable and stunning in
scope and magnitude," but not necessarily unique among federal agencies.
VA officials said the Birmingham incident was reported quicker and
handled better than the major breach last May of data on more than 26
million people. And while they testified about the work in progress to
implement changes, they didn't dispute the dire assessments.
"I sincerely wish I could promise that no other incident will occur,"
said Gordon Mansfield, deputy secretary of the VA. "I can't do that
Members of Congress from both sides of the aisle were clearly
exasperated, in part because the data missing from the Birmingham case
could be enough for someone to commit Medicare fraud by filing fake
requests for reimbursements. The hard drive still is missing and the FBI
has issued a $25,000 reward for its recovery.
Rep. Spencer Bachus, R-Vestavia Hills, complained that the data on
535,000 veterans and 1.3 million health-care providers was not
encrypted. "That ought to be standard operating procedure."
Rep. Artur Davis, D-Birmingham, argued that the VA should have notified
veterans and doctors much sooner that their personal information could
have been compromised.
The hard drive was reported missing Jan. 22, the public learned about it
Feb. 3, and letters to the affected people started being mailed out the
week of Feb. 12. While veterans are being notified, Mansfield said, the
VA is awaiting contact information from the Centers on Medicare and
Medicaid Services about the health-care providers.
"I have a very strong hunch ... that the only reason the public knows
about any of this is simply by pure luck," Davis said.
VA officials have said they couldn't disclose the incident earlier
because of the investigation.
External drives banned:
The Birmingham employee who reported the missing equipment is on
administrative leave. Two Birmingham VA officials, Y.C. Parris and
Warren Blackburn, said Wednesday that the employee reported the hard
drive was taken from his desk area in his Five Points South office,
where it had been under lock and key.
Blackburn said the use of external hard drives is now banned. Parris
said the data was not encrypted because staff didn't have the proper
computer software to do the encryption.
Davis asked Mansfield, the deputy VA secretary, to rate the response of
the Birmingham officials to the situation, and Mansfield refused to
discuss it publicly.
"This is the people's business," Davis said. "It's not a matter of
national security. It's something they're entitled to know."
Copyright 2007 The Birmingham News
Visit the InfoSec News Security Bookstore