Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
VA Breach Blasted by CongressmanUnencrypted laptop stolen from contractor
U.S. Rep. Steve Buyer, R-Ind., wrote a letter to VA Secretary Eric Shinseki May 12, citing "great concern about VA's continuing material weakness in protecting veterans' personal information from data breaches."
Buyer's letter states, "The VA lacks focus on its primary responsibility of protecting veterans' personal information." He asks the secretary to provide information on "your plan to decrease and eventually eliminate the use of unencrypted devices within the VA, particularly in the healthcare business line."
VA in the spotlight
The VA was in the spotlight back in 2006, when an employee's unencrypted laptop, containing information on 26.5 million veterans, was stolen. The VA then required encryption for all its laptops and desktops and those of its contractors
Despite the encryption policy, the VA acknowledges that one of its contractors, which it declined to name, reported that an unencrypted laptop was stolen from an employee's vehicle on April 22. The device contained personal health information, including the names and Social Security numbers of 616 veterans, who have been notified of the breach as required under the HITECH Act breach notification rule, the VA says.
"The access codes specific to the stolen laptop have been deleted from servers, and no further access from this laptop is possible," the VA contended in a statement sent to HealthcareInfoSecurity.com. The laptop has not been recovered.
Steps taken so far
Responding to the Congressman's letter, the VA noted in its statement that it has instructed security analysts to:
- Conduct a technical review of the situation;
- Ensure all contracted companies' laptops and desktops are encrypted; and
- Ensure all contracts are in compliance with VA-mandated policy.
In addition, the VA notes:
- "The contractor involved has installed a new server and whole-disk encryption for all VA Pharmacy Services computers. Laptops have been replaced by encrypted desktops. The contractor has accepted proposals for an onsite audit for mid-level certification and accreditation and has contracted an outside company to do a review of their security requirements."
- "The VA is conducting a focused assessment of the contractor's facility," including a review of security compliance.
- "The VA established a new protocol that become effective immediately for the IT Oversight and Compliance organization to review the 10 largest dollar amount contracts, 20 randomly selected contracts and three vendors for all contracts that receive or store information on VA clients" to ensure compliance with security policies.