Data loss deja vu at the VA

A Veterans Affairs Department contractor laptop containing the personal data of about 644 veterans was stolen in Texas earlier this year, revealed Rep. Steve Buyer (R-Ind.) in a public letter to VA Secretary Eric Shinseki.

Stolen laptops containing veterans' data is a sore point for the department, which settled a $20 million class action lawsuit in 2009 after a VA employee had stolen from his suburban Maryland home in 2006 a laptop and hard drive containing the personal identification information of 26.5 million active duty and troops and veterans. The stolen property was recovered, the data apparently not accessed.

In response to the first laptop theft, the VA instituted an encryption requirement for medical and identification information on laptops; however, the Texas laptop was not encrypted, according to Buyer, the senior Republican member of the House Veterans' Affairs Committee. The VA notified the House of the theft on April 28, the letter states.

"It is apparent to me that the details of these breaches clearly indicate that the VA lacks focus on its primary responsibility of protecting veterans' personal information," Buyer wrote.

The laptop belongs to a contractor that has contracts with 13 of the VA's 23 regional service networks, the letter states. A review of the company's 69 contracts shows that 25 of them did not include an information security clause, the letter adds.

"I can only conclude form this incident that VA's procurement processes seriously lack standardization in content, failure to articulate requirements, and an absence of compliance oversight," Buyer also wrote.

For more:
- see Rep. Steve Buyer's letter (.pdf)
- read this Nextgov article

Related Articles:
Industry group urges VA to embrace open source
Once unplugged, VA medical system needed a year to re-connect