http://www.washingtonpost.com/wp-dyn/content/article/2007/06/29/AR2007062901601.html By BEN EVANS The Associated Press Friday, June 29, 2007 WASHINGTON -- An Alabama VA hospital that lost sensitive data on more than 1.5 million people in January repeatedly failed to follow privacy regulations leading up to the incident, according to an internal report. The employee directly responsible for the data initially lied to investigators and deleted files from his computer in an effort to hide the magnitude of the problem, the Veterans Affairs inspector general wrote. The vast majority of the data, including Social Security numbers and private health information, was not protected by passwords or computer encryption. It could be used to commit Medicare billing fraud or identity theft, the report said, and the employee should never have had much of it in the first place. The report, released Friday, recommends "administrative action" against several employees, including the staffer, the managers of the program where he worked and the head of the Birmingham VA Medical Center. VA spokesman Matt Smith said in a statement that the department agrees with the recommendations and will "work vigorously" to implement them. "The VA strives to maintain the highest standard in safeguarding our veterans' personal information," the statement said. The security breach occurred on Jan 22, when employees discovered an external computer hard drive missing from a satellite office that conducts specialty research on health care. Because the employee responsible for the drive initially lied about how much information was on it, the VA initially reported publicly that fewer than 50,000 people were affected. But investigators later determined that the drive contained information for more than 250,000 veterans and about 1.3 million medical providers across the country. The VA, which didn't finish sending notifications until May 22, has since offered free credit monitoring to nearly 900,000 people whose Social Security numbers appear to have been compromised. The report found a "dysfunctional management structure that led to an overall breakdown of management oversight, controls, and accountability" at the research site where the drive disappeared. Managers failed to provide hands-on oversight, improperly used non-VA e-mail and selected an insecure office location without properly considering data security, it said. Although VA policy calls for protecting data through a computer scrambling process called encryption, the managers decided instead to lock the external drives in safes. But employees often left the drives outside the safes or took them offsite and there was no system for monitoring who accessed the safe, the report said. The criminal investigation into the drive's disappearance remains open, and the inspector general reported finding no evidence of identity theft related to the information thus far. The report marks the latest in a series of critical assessments of VA data-security practices. The agency has come under scrutiny for more than a year over a series of lapses, including the theft last spring of data on 26.5 million veterans from an employee's home in Maryland. In response to the Alabama incident, VA Secretary Jim Nicholson temporarily stopped activities at seven specialized research centers across the country. Aside from Birmingham's, the sites have been reopened. -=- On the Net: The VA inspector general's report can be viewed at: http://www.va.gov/oig/51/FY2007rpts/VAOIG-07-01083-157.pdf (c) 2007 The Associated Press _____________________________________________________ Attend Black Hat USA, July 28-August 2 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 30 hands-on training courses and 90 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 70 nations. Visit product displays by 30 top sponsors in a relaxed setting. Rates increase on June 1 so register today. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Sun Jul 01 2007 - 22:47:49 PDT