[ISN] Report Criticizes VA Data Security

From: InfoSec News (alerts@private)
Date: Sun Jul 01 2007 - 22:30:01 PDT


The Associated Press
Friday, June 29, 2007

WASHINGTON -- An Alabama VA hospital that lost sensitive data on more 
than 1.5 million people in January repeatedly failed to follow privacy 
regulations leading up to the incident, according to an internal report.

The employee directly responsible for the data initially lied to 
investigators and deleted files from his computer in an effort to hide 
the magnitude of the problem, the Veterans Affairs inspector general 

The vast majority of the data, including Social Security numbers and 
private health information, was not protected by passwords or computer 
encryption. It could be used to commit Medicare billing fraud or 
identity theft, the report said, and the employee should never have had 
much of it in the first place.

The report, released Friday, recommends "administrative action" against 
several employees, including the staffer, the managers of the program 
where he worked and the head of the Birmingham VA Medical Center.

VA spokesman Matt Smith said in a statement that the department agrees 
with the recommendations and will "work vigorously" to implement them.

"The VA strives to maintain the highest standard in safeguarding our 
veterans' personal information," the statement said.

The security breach occurred on Jan 22, when employees discovered an 
external computer hard drive missing from a satellite office that 
conducts specialty research on health care. Because the employee 
responsible for the drive initially lied about how much information was 
on it, the VA initially reported publicly that fewer than 50,000 people 
were affected.

But investigators later determined that the drive contained information 
for more than 250,000 veterans and about 1.3 million medical providers 
across the country.

The VA, which didn't finish sending notifications until May 22, has 
since offered free credit monitoring to nearly 900,000 people whose 
Social Security numbers appear to have been compromised.

The report found a "dysfunctional management structure that led to an 
overall breakdown of management oversight, controls, and accountability" 
at the research site where the drive disappeared.

Managers failed to provide hands-on oversight, improperly used non-VA 
e-mail and selected an insecure office location without properly 
considering data security, it said.

Although VA policy calls for protecting data through a computer 
scrambling process called encryption, the managers decided instead to 
lock the external drives in safes. But employees often left the drives 
outside the safes or took them offsite and there was no system for 
monitoring who accessed the safe, the report said.

The criminal investigation into the drive's disappearance remains open, 
and the inspector general reported finding no evidence of identity theft 
related to the information thus far.

The report marks the latest in a series of critical assessments of VA 
data-security practices. The agency has come under scrutiny for more 
than a year over a series of lapses, including the theft last spring of 
data on 26.5 million veterans from an employee's home in Maryland.

In response to the Alabama incident, VA Secretary Jim Nicholson 
temporarily stopped activities at seven specialized research centers 
across the country. Aside from Birmingham's, the sites have been 


On the Net:
The VA inspector general's report can be viewed at:


(c) 2007 The Associated Press

Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com

This archive was generated by hypermail 2.1.3 : Sun Jul 01 2007 - 22:47:49 PDT