[ISN] VA mishandled computer data, panel told

From: InfoSec News (alerts@private)
Date: Sun Mar 04 2007 - 22:11:11 PST


News Washington correspondent
March 01, 2007

WASHINGTON - Department of Veterans Affairs computer data has been 
mishandled hundreds of times in the past 10 months and the agency has 
not followed multiple rules designed to keep personal information safe, 
according to testimony Wednesday before a congressional panel 
investigating the security problems.

The most recent incident - a missing hard drive from the Birmingham VA 
Medical Center that contained personal, financial and medical data on 
about 1.8 million people - is the largest of 46 cases under 
investigation by the VA's inspector general.

Also Wednesday, Birmingham VA officials for the first time said the hard 
drive was reported stolen from an employee's locked work space, which 
previously had been inspected and determined to be secure.

Wednesday's hearing was hastily arranged because of the Birmingham 
situation, according to the chairman of the investigations and oversight 
subcommittee of the House Veterans Affairs Committee. It revealed a 
widespread and systemic security problem in the federal agency that last 
year provided health care for more than 5.4 million veterans.

"If the Birmingham incident stood alone against a backdrop of a sound 
information security management program, perhaps we could address a 
one-time-only incident with more patience," said U.S. Rep. Harry 
Mitchell, D-Ariz. "However, the record reflects a host of material 
weaknesses ... and the VA is slow to correct these deficiencies."

`Information at risk':

The VA has repeatedly failed audits on its computer security systems, 
and 17 recommendations to fix the problem remain unfinished after 
several years, according to Maureen Regan, counselor to the VA's 
inspector general. Her testimony was a blistering account of the 
agency's shortcomings, such as the lack of basic encryption and the lack 
of knowledge about how many employees and contractors use non-VA 
computers to access VA systems, how many external hard drives are used 
or what data is stored on them.

"VA still lacks effective internal controls and accountability which 
leaves sensitive information at risk," Regan said in her written 

Gregory Wilshusen of the Government Accountability Office reached a 
similar conclusion, calling the breaches "remarkable and stunning in 
scope and magnitude," but not necessarily unique among federal agencies.

VA officials said the Birmingham incident was reported quicker and 
handled better than the major breach last May of data on more than 26 
million people. And while they testified about the work in progress to 
implement changes, they didn't dispute the dire assessments.

"I sincerely wish I could promise that no other incident will occur," 
said Gordon Mansfield, deputy secretary of the VA. "I can't do that 

Members of Congress from both sides of the aisle were clearly 
exasperated, in part because the data missing from the Birmingham case 
could be enough for someone to commit Medicare fraud by filing fake 
requests for reimbursements. The hard drive still is missing and the FBI 
has issued a $25,000 reward for its recovery.

Rep. Spencer Bachus, R-Vestavia Hills, complained that the data on 
535,000 veterans and 1.3 million health-care providers was not 
encrypted. "That ought to be standard operating procedure."

Rep. Artur Davis, D-Birmingham, argued that the VA should have notified 
veterans and doctors much sooner that their personal information could 
have been compromised.

The hard drive was reported missing Jan. 22, the public learned about it 
Feb. 3, and letters to the affected people started being mailed out the 
week of Feb. 12. While veterans are being notified, Mansfield said, the 
VA is awaiting contact information from the Centers on Medicare and 
Medicaid Services about the health-care providers.

"I have a very strong hunch ... that the only reason the public knows 
about any of this is simply by pure luck," Davis said.

VA officials have said they couldn't disclose the incident earlier 
because of the investigation.

External drives banned:

The Birmingham employee who reported the missing equipment is on 
administrative leave. Two Birmingham VA officials, Y.C. Parris and 
Warren Blackburn, said Wednesday that the employee reported the hard 
drive was taken from his desk area in his Five Points South office, 
where it had been under lock and key.

Blackburn said the use of external hard drives is now banned. Parris 
said the data was not encrypted because staff didn't have the proper 
computer software to do the encryption.

Davis asked Mansfield, the deputy VA secretary, to rate the response of 
the Birmingham officials to the situation, and Mansfield refused to 
discuss it publicly.

"This is the people's business," Davis said. "It's not a matter of 
national security. It's something they're entitled to know."

Copyright 2007 The Birmingham News

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Sun Mar 04 2007 - 22:26:25 PST