VA loses another laptop with veterans' personal data, prompting inquiry

The Department of Veterans Affairs has been the victim of two major data breaches in the last month that may put the personal data of hundreds of veterans at risk, according to a letter released Thursday.

A contractor with the Department of Veterans Affairs had an unencrypted laptop stolen last month that contained the personal data of over 600 veterans, and a second laptop owned by another contractor to VA was stolen in May, according to the ranking Republican on the House Committee on Veterans' Affairs.

The startling revelations were revealed in a letter dated May 12 from Rep. Steve Buyer, R-Ind. to VA Secretary Eric Shinseki.

ADVERTISEMENT
The letter said the House panel was notified on April 28 that an unencrypted laptop with access to VA medical center data including the personally identifiable information of 644 veterans was stolen from a VA contractor. A second unencrypted laptop was stolen in May from a service disabled veteran-owned contractor.

The Committee has scheduled a hearing for next week to assess the agency's information security practices.

The incidents are not the first of their kind at VA; in May 2006 another laptop containing the sensitive personal data of over 26 million veterans was stolen from a VA employee's home. The theft prompted an outcry from Congress, which mandated that VA must encrypt all data following the breach. The theft also cost taxpayers $28 million in notification procedures and another $20 million for a class action lawsuit.

Shortly after his confirmation in February 2009, Shinseki ordered a review of more than 22,000 VA contracts and found that more than 6,000 did not include information security clauses as required by law. Most of the contracts had the clause added, but 578 contractors refused to sign it. In his letter Buyer questions why VA allowed those companies to keep performing on their contracts.

"Most troubling is the fact that 578 contractors refused to modify and sign the clause, without any apparent VA action to enforce its IT security policies," Buyer writes. "I can only conclude from this incident that VA's procurement processes seriously lack standardization in content, failure to articulate requirements and an absence of compliance oversight."

Buyer also questioned why unencrypted devices are still allowed to access VA's networks, given the department's repeated problems with information security. Since his appointment by President Obama in March 2009, Veterans Affairs chief information officer Roger Baker has been tasked with cleaning up the aftermath of the 2006 laptop theft as well as the management practices preceding his arrival that had drawn fire.

“I attribute the continued lack of security to poor memory among VA’s senior management, and its failure to realize the magnitude of the problem that could have been prevented," Buyer writes. "This is an inexcusable abrogation of responsibility that would not be tolerated in any private company. Veterans and American taxpayers expect a higher standard from the VA, and I will take every viable step to ensure their expectations are met.”

Update: A spokesperson for Veterans’ Affairs told the Hill the department has already moved to contain the threat posed by the April laptop breach. According to VA the theft occurred on April 22nd and affected 616 veterans. VA said there has been no evidence of a breach and that the stolen laptop at this point would be unable to access department records.

Although the department said no veterans’ records have been breached, the agency still mailed the veterans involved offering to monitor and protect their credit for one year in case the culprit(s) attempt to steal their identities. Secretary Shinseki is also planning to independently verify the physical and network security practices of all contractors that deal with veterans’ medical and personally identifiable information.

The agency had no information on the theft of the second laptop in May.
 
The spokesperson also said VA requires all devices connected to its networks to be encrypted, but said it isn't always able to eliminate contractors not in compliance with stringent information security requirements. That’s because many of the non-compliant firms are either in rural areas or providing vital medical services that are not easily replaced.

This story was updated at 5:36 p.m.

More in Defense

Veterans' Affairs chairman a 'no' vote on defense bill

Read more »