VA Breach Blasted by Congressman

Credit EligibleAs a GovInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

A Congressman is citing the recent theft of an unencrypted laptop containing "VA medical center data" on more than 600 veterans as evidence that the Department of Veterans Affairs is not doing enough to protect information.

U.S. Rep. Steve Buyer, R-Ind., wrote a letter to VA Secretary Eric Shinseki May 12, citing "great concern about VA's continuing material weakness in protecting veterans' personal information from data breaches."

Buyer's letter states, "The VA lacks focus on its primary responsibility of protecting veterans' personal information." He asks the secretary to provide information on "your plan to decrease and eventually eliminate the use of unencrypted devices within the VA, particularly in the healthcare business line."

VA in the spotlight

The VA was in the spotlight back in 2006, when an employee's unencrypted laptop, containing information on 26.5 million veterans, was stolen. The VA then required encryption for all its laptops and desktops and those of its contractors

Despite the encryption policy, the VA acknowledges that one of its contractors, which it declined to name, reported that an unencrypted laptop was stolen from an employee's vehicle on April 22. The device contained personal health information, including the names and Social Security numbers of 616 veterans, who have been notified of the breach as required under the HITECH Act breach notification rule, the VA says.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

"The access codes specific to the stolen laptop have been deleted from servers, and no further access from this laptop is possible," the VA contended in a statement sent to HealthcareInfoSecurity.com. The laptop has not been recovered.

Steps taken so far

Responding to the Congressman's letter, the VA noted in its statement that it has instructed security analysts to:

• Conduct a technical review of the situation;
• Ensure all contracted companies' laptops and desktops are encrypted; and
• Ensure all contracts are in compliance with VA-mandated policy.

In addition, the VA notes:

• "The contractor involved has installed a new server and whole-disk encryption for all VA Pharmacy Services computers. Laptops have been replaced by encrypted desktops. The contractor has accepted proposals for an onsite audit for mid-level certification and accreditation and has contracted an outside company to do a review of their security requirements."
• "The VA is conducting a focused assessment of the contractor's facility," including a review of security compliance.
• "The VA established a new protocol that become effective immediately for the IT Oversight and Compliance organization to review the 10 largest dollar amount contracts, 20 randomly selected contracts and three vendors for all contracts that receive or store information on VA clients" to ensure compliance with security policies.