Veterans Administration Now Known As Ministry For Data Leaks

from the leak-rinse-repeat dept

In the middle of last year, a laptop and hard drive containing personal information on 26.5 million US veterans were stolen from an employee's home. While the equipment was recovered, and the government claimed the data had not been accessed, the theft highlighted the lax security procedures of the VA -- and another theft a few months later reinforced it. Now, try not to be surprised, but it's happened again, as portable hard drive containing personal information on 48,000 vets has gone missing from an Alabama facility. Despite the VA saying it was beefing up data security after the first theft by taking measures including putting encryption software on all its laptops and desktop PCs, apparently as many as 20,000 records on this latest hard drive weren't encrypted. While encryption is by no means a cure-all, it's pretty ridiculous that even after the previous high-profile events, the VA still can't be bothered to even take this first step with all its data. There's a total lack of accountability and responsibility here: while there's been talk of mandating stiffer penalties for individuals who are negligent with personal data, that's nothing more than smoke and mirrors. It hides the real problem, which is an environment that, from the top down, accepts and excuses this sort of behavior. Until that changes, expect more data leaks.


Reader Comments (rss)

(Flattened / Threaded)

  •  
    identicon
    dorpus, Feb 6th, 2007 @ 12:08pm

    Hey, that's across the street

    from where I take classes. I drive by the VA every day.

    What would anyone do with data theft in Alabama, though? I enjoy the local low-security culture. It's not like California, where security guard bullies are always threatening to arrest anyone who so much as walks into a store through the wrong entrance.

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Bill Hoffer, Feb 6th, 2007 @ 1:23pm

      Re: Hey, that's across the street

      "security guard bullies"? Like the ones at Disney Land and who drive around shopping malls and school grounds in golf carts? You are afraid of these people? The phrase, "threatening to arrest" is funny - it sounds similar to something a school girl might say to another school kid who is making faces at her.

       

      reply to this | link to this | view in chronology ]

      •  
        identicon
        dorpus, Feb 6th, 2007 @ 10:31pm

        Re: Re: Hey, that's across the street

        "security guard bullies"? Like the ones at Disney Land and who drive around shopping malls and school grounds in golf carts? You are afraid of these people? The phrase, "threatening to arrest" is funny - it sounds similar to something a school girl might say to another school kid who is making faces at her.

        They are allowed to arrest people, they carry handcuffs and pepper spray, sometimes even guns. They are usually incompetent Mexican-Americans on a power trip. I haven't been arrested, but I've seen them do it to others for trivial offenses like standing in the wrong place.

         

        reply to this | link to this | view in chronology ]

  •  
    identicon
    Neonghost, Feb 6th, 2007 @ 12:39pm

    HIPPA

    The VA handles health care related issues and that means HIPPA. I work in IT for a University hospital and deal with HIPPA related issue very often. A first offence, even accidental, of exposing protected health information can be a year in jial and a 10g fine. And that if I accidently put a patients room number in a clear text field.

    However outside of IT I have found no one takes HIPPA seriously. Just goes to show you that if you don't understand a thing you don't respect it.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    SPR, Feb 6th, 2007 @ 1:26pm

    Electronic Security

    When the government that imposses laws like HIPAA on us then exempts governmental agencies from it's requirements, how can you expect them to take anything of yours (data or otherwise) seriously?

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Anonymous Coward, Feb 6th, 2007 @ 3:08pm

    It hides the real problem, which is an environment that, from the top down, accepts and excuses this sort of behavior.
    The VA is part of the executive branch of the US government and the president is at the "top" of the executive branch.

     

    reply to this | link to this | view in chronology ]

  •  
    identicon
    Petty Officer White, Feb 6th, 2007 @ 4:25pm

    Shame

    Damn shame. Get the right people in place to do the job and get it done. Again and again, damned shame. Horrible way to house, store, and administer information of Veterans.

    Who cares about veterans with short-order lovers, car chases, knuckheads who eat their children, politicians posing for dingle-boy magazine, runners to corner blocks for daily shooters of ills we lover, and the veteran begs for a dollar while offering directions to Macy's on G street....



    Can I get a war, so Vets can find some love!!!

     

    reply to this | link to this | view in chronology ]

    •  
      identicon
      Dave, Feb 7th, 2007 @ 10:52pm

      Re: Shame

      I agree with you, Chief, I am a disabled vet but would gladly do any job the military would put me in if only they would use me for something. Give me a war, too.

       

      reply to this | link to this | view in chronology ]

  •  
    identicon
    Ray Trygstad, Feb 6th, 2007 @ 8:12pm

    It's a Policy Issue!

    This is not a failure of technology: it's a failure of policy, which is the core management tool for information security. There has to be a policy governing data on portable devices, the policy has to be enforced, and there has to be consequences for failure to comply. The policy might prescribe a technological control (i.e. encryption), but there has to be policy. This certainly does not seem to be the case in the Department of Veteran's Affairs.

    BTW the government is NOT exempt from HIPAA; on top of that, as a Federal agency, the DVA is also subject to FISMA, the Federal Information Security Management Act, which is much tougher than any IT security standards legislatively required of any commercial entities.

     

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This