For VA, all security is local

When an external hard drive went missing from a Veterans Affairs Department medical center in Birmingham, Ala., earlier this year, the incident added to the notoriety that the department earned in May 2006, when a VA laptop PC containing the personal information of 26.5 million veterans and their families was stolen from a VA employee’s home.The most recent incident revealed that enforcement of data security policies and procedures set by the agency’s headquarters is hit or miss at local offices, according to VA’s Office of Inspector General, which released an investigative report June 29. The local data loss underscored a lack of governmentwide guidance on assessing the degree of risk to potential victims of data security incidents, the IG said. The loss also exposed a lack of guidelines for handing incidents in which lost or stolen data belongs to more than one agency. Without guidelines, agencies are likely to make inconsistent decisions about what protections to offer people whose personal data was compromised, the report states. VA’s response to the Birmingham incident was to assume that the victims were at high risk of harm because of the incident. On that basis, VA offered the victims free credit monitoring, which is costing the government $20 million. The IG’s report made the point that “a very liberal use of high-risk levels can result in spending millions of dollars in taxpayer money needlessly.”In January, an information technology specialist reported missing a VA-owned external hard drive from the Birmingham Medical Center’s Research Enhancement Award Program office. The employee had used the hard drive to back up research files, which contained personally identifiable information and health information on about 250,000 veterans and data from the Health and Human Services Department on 1.3 million medical providers. The IG recommended that VA coordinate with the Office of Management and Budget and the President’s Identity Theft Task Force to develop governmentwide risk-analysis criteria to determine when potential identity theft victims of data loss should be notified and offered free credit monitoring. In the absence of governmentwide criteria, VA or other agencies that lose personal data must determine whether the loss of a single personal identifier, such as a Social Security number, creates a risk of identity theft, said Robert Howard, the VA’s chief information officer, in a letter to the the IG’s office last month.VA ultimately offered credit monitoring to 864,000 affected veterans, employees and health care providers whose SSN numbers were on the missing hard drive, Howard said.  VA has not located the drive. It also has no evidence that the missing data has been used to commit fraud.  The data loss was disheartening for the Veterans Health Administration, which oversees all VA hospitals, said Michael Kussman, VA’s undersecretary for health, in a written response to the IG report. “The loss of information at the Birmingham Research Enhancement Award Program is a disturbing incident, given the Veterans Health Administration’s focus on data security over the past year,” Kussman said.