[ISN] Update: Another VA computer missing

From: InfoSec News (alerts@private)
Date: Wed Aug 09 2006 - 22:29:59 PDT


http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9002252

By Linda Rosencrance
August 08, 2006 
Computerworld

Editor's note: Due to an editing error, an earlier version of this story 
incorrectly said the stolen computer was a laptop.

The U.S. Department of Veterans Affairs yesterday announced that a desktop 
computer containing the personal information on 38,000 veterans is missing 
from the office of Unisys Corp., the subcontractor hired to assist in 
insurance collection for the VA's medical centers in Pittsburgh and 
Philadelphia.

"VA's inspector general, the FBI and local law enforcement are conducting 
a thorough investigation of this matter," Secretary of Veterans Affairs R. 
James Nicholson said in a statement. Unisys told the VA on Aug. 3 that the 
computer was missing from its Reston, Va., offices. The VA immediately 
sent a team to Unisys to help search for the missing computer and to 
determine exactly what information it contained.

The VA said it believes the data involved is limited to veterans who 
received treatment at the two Pennsylvania medical centers during the past 
four years. According to the agency, the desktop computer may have 
contained patients' names, addresses, Social Security numbers and dates of 
birth, the names of their insurance companies, billing information, dates 
of military service and claims data that may include some medical 
information.

The VA estimates that the computer contained information on approximately 
5,000 patients treated at a center in Philadelphia, approximately 11,000 
patients treated at a Pittsburgh facility and about 2,000 deceased 
patients. The VA is also investigating the possibility that the computer 
contained information on another 20,000 people who received care through 
the Pittsburgh medical center.

VA officials are also working with Unisys about notifying those who may be 
affected and offering them credit-monitoring services.

Unisys officials today continued their search for the missing desktop.  
The company can't say for certain that it was stolen and is not ruling out 
the possibility that it had been misplaced. "We can't find it.  It's 
missing from where it's regularly housed and the building has been swept 
several times," said Lisa Meyers, a company spokeswoman.

Unisys is continuing to review security tapes, records and logs and 
conduct interviews. "It is ongoing," said Meyers of the company's search 
for the desktop.

The Reston facility from which the computer disappeared has been used by 
Unisys since June 2004, said Meyers. There have been no previous reports 
of thefts from it.

The work being done for the VA wasn't classified, although Unisys does 
work for other government agencies that is classified, and the building 
has security guards working around-the-clock, with video monitoring of 
exits and entrances -- including elevators -- as well as a need for key 
cards.

The desktop data was not encrypted, and there was no requirement for that 
under the government's contract, said Meyers.

In addition to alerting U.S. government authorities about the incident, 
Unisys filed a report with the Fairfax County Police Department. A review 
of two months' worth of weekly police reports posted online shows on 
average about four computer thefts a week either from vehicles, residences 
or offices in the county.

A police spokesman said there was no particular trend pointing to an 
increase in computer thefts. The investigation is continuing, VA officials 
said.

"VA is making progress in efforts to reform its information technology and 
cybersecurity procedures, but this report of a missing computer at a 
subcontractor's secure building underscores the complexity of the work 
ahead as we establish VA as a leader in data and information security," 
Nicholson said in the statement.

The loss of this computer comes just two days after Montgomery County 
Police in Maryland announced the arrests of two men accused of stealing a 
VA laptop and hard drive that contained identifying information on 26.5 
million of veterans and active-duty military personnel in May.

That laptop was recovered in June, and the VA does not believe that any of 
the personal information contained on it was compromised.

-=-

Computerworld's Patrick Thibodeau contributed to this report.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org



This archive was generated by hypermail 2.1.3 : Wed Aug 09 2006 - 22:47:08 PDT