[ISN] Deja vu all over again at Veterans Administration

From: InfoSec News (alerts@private)
Date: Sun Nov 18 2007 - 23:19:08 PST


By Jaikumar Vijayan
November 16, 2007 

In what's become a fairly familiar routine for them of late, the U.S. 
Department of Veterans Affairs is investigating a potential data breach 
-- the theft of three computers containing personal data on potentially 
12,000 individuals.

Two desktop PCs and one laptop containing that data were stolen from a 
medical facility in Roudebush, Indiana -- ironically enough, on Veterans 
Day. The records belong to patients who were treated at the hospital and 
include Social Security numbers and other personally identifiable 

"It appears from this most recent breach that there are still some in 
the VA, even some responsible for the security of such data, who don't 
realize the importance of the security of the names and data of our 
veterans," Congressman Steve Buyer (R-Ind) said in a prepared statement.

According to Buyer, the VA notified his office of the breach on Thursday 
and are working on ascertaining the names and data of the people who 
might have been affected by the theft.

Buyer was the chairman of the House Veteran Affairs Committee last year 
and held 16 hearings on VA information technology with eight of them 
specifically on IT security. The hearings were designed to identity the 
issues that led to the loss of a laptop and hard disk containing 
personal data on over 26.5 million veterans in May last year.

That incident led to a sweeping overhaul of the VA's IT organization and 
more direct power being bestowed on the office of the CIO to make needed 
security changes.

"It is inexcusable that the VA repeatedly fails to comply with its own 
policy to safeguard veterans' personal information," Buyer said, adding 
that the agency needed to provide full credit monitoring to all those 
affected in the latest breach.

The Roudebush theft is the latest in a string of similar incident that 
have occurred at VA before and after the massive data breach in May 

On January 22, 2007, an IT specialist at a VA medical center in 
Birmingham, Alabama, reported as missing (PDF format [1]) hard disk 
containing personal data on over 250,000 veterans and an additional 1.3 
million medical providers.

In August of last year, at the height of uproar over the May breach, the 
VA disclosed that Unisys, a subcontractor hired to assist in insurance 
collections for VA medical centers in Pittsburgh reported a missing 
computer containing personal data on over 16,000 veterans.

During a Buyer hearing into the May 2006 breach, VA officials disclosed 
several other prior security incidents that had happened at the 
department, including the loss of a back-up tape containing legal and 
case related information on 16,500 veterans from Indianapolis. Also 
disclosed during the hearing was another breach, this one involving the 
loss of SSNs and other personal data on 66 veterans; their data was 
compromised when a VA auditor put the papers with the data in the trunk 
of a rental car that was later stolen.

[1] http://www.va.gov/oig/51/FY2007rpts/VAOIG-07-01083-157.pdf

Visit InfoSec News

This archive was generated by hypermail 2.1.3 : Sun Nov 18 2007 - 23:24:40 PST