By BEN EVANS
The Associated Press
Friday, June 29, 2007
WASHINGTON -- An Alabama VA hospital that lost sensitive data on more
than 1.5 million people in January repeatedly failed to follow privacy
regulations leading up to the incident, according to an internal report.
The employee directly responsible for the data initially lied to
investigators and deleted files from his computer in an effort to hide
the magnitude of the problem, the Veterans Affairs inspector general
The vast majority of the data, including Social Security numbers and
private health information, was not protected by passwords or computer
encryption. It could be used to commit Medicare billing fraud or
identity theft, the report said, and the employee should never have had
much of it in the first place.
The report, released Friday, recommends "administrative action" against
several employees, including the staffer, the managers of the program
where he worked and the head of the Birmingham VA Medical Center.
VA spokesman Matt Smith said in a statement that the department agrees
with the recommendations and will "work vigorously" to implement them.
"The VA strives to maintain the highest standard in safeguarding our
veterans' personal information," the statement said.
The security breach occurred on Jan 22, when employees discovered an
external computer hard drive missing from a satellite office that
conducts specialty research on health care. Because the employee
responsible for the drive initially lied about how much information was
on it, the VA initially reported publicly that fewer than 50,000 people
But investigators later determined that the drive contained information
for more than 250,000 veterans and about 1.3 million medical providers
across the country.
The VA, which didn't finish sending notifications until May 22, has
since offered free credit monitoring to nearly 900,000 people whose
Social Security numbers appear to have been compromised.
The report found a "dysfunctional management structure that led to an
overall breakdown of management oversight, controls, and accountability"
at the research site where the drive disappeared.
Managers failed to provide hands-on oversight, improperly used non-VA
e-mail and selected an insecure office location without properly
considering data security, it said.
Although VA policy calls for protecting data through a computer
scrambling process called encryption, the managers decided instead to
lock the external drives in safes. But employees often left the drives
outside the safes or took them offsite and there was no system for
monitoring who accessed the safe, the report said.
The criminal investigation into the drive's disappearance remains open,
and the inspector general reported finding no evidence of identity theft
related to the information thus far.
The report marks the latest in a series of critical assessments of VA
data-security practices. The agency has come under scrutiny for more
than a year over a series of lapses, including the theft last spring of
data on 26.5 million veterans from an employee's home in Maryland.
In response to the Alabama incident, VA Secretary Jim Nicholson
temporarily stopped activities at seven specialized research centers
across the country. Aside from Birmingham's, the sites have been
On the Net:
The VA inspector general's report can be viewed at:
(c) 2007 The Associated Press
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com