VA hit with two class-action suits over data theft

The Department of Veterans Affairs faces two class-action lawsuits related to the theft of information on 26.5 million veterans last month.

The Vietnam Veterans of America (VVA) and four other veterans groups have filed a class-action lawsuit against the VA seeking $1,000 in damages for each veteran who can show that he or she has been harmed by the data theft.

Last week, Paul Hackett, a Marine reservist from Cincinnati, Ohio, who served in Iraq, and Matthew Page, from Boone County, Ky., filed a class-action lawsuit against the VA in the U.S. District Court for the Eastern District of Kentucky. It, too, seeks $1,000 in damages for any veteran damaged by the data theft.

The VA disclosed yesterday that the stolen database also contains records and private information on 10,000 to 20,000 members of the National Guard and Reserves called to active duty and for 25,000 to 30,000 Navy personnel who completed their first enlistment before 1991.

The Consumer Coalition for Health Privacy asked the Department of Health and Human Services last week to conduct a privacy review of health data included in the stolen information, which contained records it believes are covered by the Health Insurance Portability and Accountability Act (HIPAA).

The VVA suit, filed in the U.S. District Court for the District of Columbia, also asks the court to prevent the VA from altering any of its data storage systems until a court-appointed panel of experts determines how to prevent future security breaches. The National Gulf War Resource Center, Radiated Veterans of America, Citizen Soldier, and Veterans for Peace joined VVA in its suit.

The Hackett/Page suit asks the Kentucky court to prohibit the VA from operating information systems without appropriate safeguards to ensure the privacy of veterans’ records.

It also requests that the VA take steps to head off possible identity theft by establishing an identity- and credit-monitoring program that would cover potentially all of the veterans whose information was stolen. The data was stored on a removable device attached to a laptop PC reported stolen from a VA data analyst’s home May 3.

“It is appalling to all veterans that their personal information -- information that is supposed to be held in confidence -- is potentially in the hands of individuals who can wreak identity-theft havoc,” said John Rowan, national president of VVA.

He added that he was perplexed about the amount of information the VA has collected on veterans who have never used the agency’s services and said VA Secretary Jim Nicholson has yet to answer some critical questions.

“What was an employee of the VA doing with the names, Social Security numbers and dates of birth of all these veterans, the vast majority of whom have never availed themselves of VA services?” he asked. “Why is the VA collecting this information in the first place?”

Besides personal identifiers such as Social Security numbers, the VA said the stolen database also contains medical diagnostic codes and medical disability ratings, which the Consumer Coalition for Health Privacy views as a potential violation of the privacy provisions of HIPAA.

The coalition asked HHS Secretary Mike Leavitt “to do everything he can to ensure the privacy and security of protected health and other highly sensitive information held by the VA,” said Paul Feldman, deputy director of the Health Privacy Project, in a statement.