Report criticizes VA hospital over breach
By Ben Evans
Associated Press Writer
WASHINGTON — An Alabama VA hospital that lost sensitive data on more than 1.5 million people in January repeatedly failed to follow privacy regulations leading up to the incident, according to an internal report.
The employee directly responsible for the data initially lied to investigators and deleted files from his computer in an effort to hide the magnitude of the problem, the Veterans Affairs inspector general wrote.
The vast majority of the data, including Social Security numbers and private health information, was not protected by passwords or computer encryption. It could be used to commit Medicare billing fraud or identity theft, the report said, and the employee should never have had much of it in the first place.
The report, released Friday, recommends "administrative action" against several employees, including the staffer, the managers of the program where he worked and the head of the Birmingham VA Medical Center.
VA spokesman Matt Smith said in a statement that the department agrees with the recommendations and will "work vigorously" to implement them.
"The VA strives to maintain the highest standard in safeguarding our veterans' personal information," the statement said.
In response to the Alabama incident, VA Secretary Jim Nicholson temporarily stopped activities at seven specialized research centers across the country.
Aside from Birmingham's, the sites have been reopened.
The security breach occurred on Jan. 22.
when employees discovered an external computer hard drive missing from a satellite office that conducts specialty research on health care. Because the employee responsible for the drive initially lied about how much information was on it, the VA initially reported publicly that fewer than 50,000 people were affected.
But investigators later determined that the drive contained information for more than 250,000 veterans and about 1.3 million medical providers across the country.
The VA, which didn't finish sending notifications until May 22, has since offered free credit monitoring to nearly 900,000 people whose Social Security numbers appear to have been compromised.
The report found a "dysfunctional management structure that led to an overall breakdown of management oversight, controls, and accountability" at the research site where the drive disappeared.
Managers failed to provide hands-on oversight, improperly used non-VA e-mail and selected an insecure office location without properly considering data security, it said.
Although VA policy calls for protecting data through a computer scrambling process called encryption, the managers decided instead to lock the external drives in safes. But employees often left the drives outside the safes or took them offsite and there was no system for monitoring who accessed the safe, the report said.
The criminal investigation into the drive's disappearance remains open, and the inspector general reported finding no evidence of identity theft related to the information thus far.
The report marks the latest in a series of critical assessments of VA data-security practices. The agency has come under scrutiny for more than a year over a series of lapses, including the theft last spring of data on 26.5 million veterans from an employee's home in Maryland.
On the Net:
The VA inspector general's report can be viewed at:
Copyright 2005 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
Save $84.50 a year off our newsstand price:
Subscribe today for only 38 cents a day!