Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations

VA Breach Blasted by Congressman

Unencrypted laptop stolen from contractor
VA Breach Blasted by Congressman
A Congressman is citing the recent theft of an unencrypted laptop containing "VA medical center data" on more than 600 veterans as evidence that the Department of Veterans Affairs is not doing enough to protect information.

U.S. Rep. Steve Buyer, R-Ind., wrote a letter to VA Secretary Eric Shinseki May 12, citing "great concern about VA's continuing material weakness in protecting veterans' personal information from data breaches."

Buyer's letter states, "The VA lacks focus on its primary responsibility of protecting veterans' personal information." He asks the secretary to provide information on "your plan to decrease and eventually eliminate the use of unencrypted devices within the VA, particularly in the healthcare business line."

VA in the spotlight

The VA was in the spotlight back in 2006, when an employee's unencrypted laptop, containing information on 26.5 million veterans, was stolen. The VA then required encryption for all its laptops and desktops and those of its contractors

Despite the encryption policy, the VA acknowledges that one of its contractors, which it declined to name, reported that an unencrypted laptop was stolen from an employee's vehicle on April 22. The device contained personal health information, including the names and Social Security numbers of 616 veterans, who have been notified of the breach as required under the HITECH Act breach notification rule, the VA says.

"The access codes specific to the stolen laptop have been deleted from servers, and no further access from this laptop is possible," the VA contended in a statement sent to The laptop has not been recovered.

Steps taken so far

Responding to the Congressman's letter, the VA noted in its statement that it has instructed security analysts to:

  • Conduct a technical review of the situation;
  • Ensure all contracted companies' laptops and desktops are encrypted; and
  • Ensure all contracts are in compliance with VA-mandated policy.

In addition, the VA notes:

  • "The contractor involved has installed a new server and whole-disk encryption for all VA Pharmacy Services computers. Laptops have been replaced by encrypted desktops. The contractor has accepted proposals for an onsite audit for mid-level certification and accreditation and has contracted an outside company to do a review of their security requirements."
  • "The VA is conducting a focused assessment of the contractor's facility," including a review of security compliance.
  • "The VA established a new protocol that become effective immediately for the IT Oversight and Compliance organization to review the 10 largest dollar amount contracts, 20 randomly selected contracts and three vendors for all contracts that receive or store information on VA clients" to ensure compliance with security policies.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.