Print

Email story

Comment

Email editor

VA data security falls short

By WILLIAM R. LEVESQUE
Published March 19, 2007

The theft last year of a laptop containing personal data on more than 26-million veterans left the Department of Veterans Affairs embarrassed and promising reform.

In January, it happened again.

With the medical care of wounded soldiers dominating headlines in recent weeks, a lesser storm involving the VA's failure to protect veterans' personal information is quietly gaining strength.

Veterans advocates are clamoring for action, bipartisan congressional critics are zeroing in, and the VA's top official has acknowledged frustration with his agency's ineptness with computers.

On top of it all, the VA told Congress last week that it needs at least $15.1-million to cover costs associated with the latest data breach.

The case involves a computer hard drive with billing information for 1.3-million doctors and more than 500,000 veterans that was either stolen or misplaced from a VA research facility in Birmingham, Ala.

"It is now clear to me that there are still too many VA employees ... who still do not comprehend the seriousness of this issue," VA Secretary R. James Nicholson wrote in a recent memo.

Bradenton Army veteran Dewell Crews, 51, whose name was likely among the 26-million, was more blunt:

"Can't the VA get anything right?" he asked.

In the theft last May and in the January case, the missing data included Social Security numbers, raising the prospect of identity theft.

The laptop stolen last May eventually was recovered with no apparent criminal use of its data. A worker had taken home the laptop, which included information on every veteran discharged since 1975.

The hard drive in Alabama is still missing, though early reports indicated the data hadn't been used criminally. A national VA spokesman did not respond to repeated calls for comment.

A bigger question is why the data on that drive was unprotected, particularly after the VA spent nearly $4-million to encrypt its computer data after last year's burglary.

The VA has said it will notify affected veterans. Meanwhile, it has suggested that veterans closely monitor their credit, even offering free credit report monitoring if their personal information has been compromised.

The VA is operating a call center where veterans can get information about the Birmingham incident. Veterans can call toll-free 1-877-894-2600.

Carolyn Clark, a spokeswoman for the James A. Haley VA Medical Center in Tampa, the nation's busiest VA medical facility, said in a statement that new safeguards have been implemented since Birmingham, including restrictions on data being allowed outside facilities.

That does little to assuage the anxiety among veterans.

"Nicholson's made a mess of everything," said Bill Geden, 65, a Citrus County resident who is district director of the Blinded Veterans Association's chapter for west-central Florida. "The data's not protected at all. The message they're sending is: Don't join the military. It's real simple."

The VA's office of inspector general said five key recommendations it made after last May's incident are still unaddressed, including a clear and consistent policy for investigating and tracking incidents of data loss.

"It seems to me there is a lack of willpower to enforce data security at the VA by top administrators and a Paleolithic civil service hiring and firing system that lets employees who violate the data security guidelines keep their jobs," Rep. Ginny Brown-Waite, R-Brooksville, said in a statement after a Feb. 28 congressional hearing on the issue.

How often information is lost or misused by the VA remains unclear. The VA's Security Operations Center has referred 250 incidents since July 2006 to its inspector general, which has led to 46 separate investigations.

In one of the few incidents to make the news late last year, a computer disk containing personal information on 1,400 Oklahoma veterans was lost in the mail. But the magnitude of most cases has not been made public.

The VA faces a pending class-action lawsuit in Washington from veterans and advocacy groups trying to force court oversight of the VA's data protection, a suit filed after the May incident. A plaintiff's lawyer said the suit may be enlarged to include the Alabama loss.

"The VA's taken a pretty haughty tone" about why oversight isn't necessary, said attorney Doug Rosinski. "But there's no longer a barn door. There is no door. There is no barn. There are just random pieces of wood lying around the farm."

William R. Levesque can be reached at levesque@sptimes.com or (813) 226-3436.

[Last modified March 19, 2007, 01:22:17]