VA Continues Its Annual Tradition Of Losing Laptop With Unencrypted Sensitive Data

from the the-ministry-of-data-leaks dept

When we last checked in with the Veterans Administration (VA) it was to suggest that it rename itself the "Ministry of Data Leaks." That's because every year or so they admit that they've lost a computer that happens to contain unencrypted personal data on VA members. And, each report seems to get worse than the previous one. So you would think that, by now, the VA would have at least put in place some system to encrypt and protect the data it stores. That would be wishful thinking. It's now come out that the VA has had two major data breaches in just the last month -- both involving laptops that had unencrypted data.

Of course, this comes after those earlier breaches cost taxpayers tens of millions of dollars in notifications and in response to a class action lawsuit, leading Congress to require the VA to encrypt its data. Apparently, the VA didn't bother to actually follow through on that requirement. Congress is now investigating again, with the following statement from Rep. Steve Buyer in kicking off the investigation:
"I attribute the continued lack of security to poor memory among VA's senior management, and its failure to realize the magnitude of the problem that could have been prevented," Buyer writes. "This is an inexcusable abrogation of responsibility that would not be tolerated in any private company. Veterans and American taxpayers expect a higher standard from the VA...."
Not that I expect a Congressional investigation to be very effective, but at some point you have to wonder what folks at the VA are thinking.


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    icon
    ChurchHatesTucker (profile), May 13th, 2010 @ 6:49pm

    Oh please

    It's the VA. It's not that they can use a computer well, it's that they can use it at all...

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    Anonymous Coward, May 13th, 2010 @ 7:29pm

    lack of competent people and enforcing physical security and adherence to Information Assurance protocols

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    Joe Harkins, May 13th, 2010 @ 7:33pm

    ignorant remarks are . . . ignorant

    ChurchHatesTucker has not clue and therefore discounts his comment. The potential for harm in the data release is magnified by one simple fact. The VA has the widely acknowledged and most complete dossier on every person it handles. The medical records system is the envy of the medical world. Speaking as one who has been a 16-year patient of theirs for heavy duty issues (cured prostate cancer, cured skin cancer, etc.)

    I know first hand that I can walk into any VA hospital at any hou5 of the night or any day of the year (like I once did Thanksgiving Day at 4am 400 miles from home) and the person treating me has a total, in-depth, chronological, searchable history of every thing about me on screen. They have every allergy, every medication past and current, every procedure, every blood pressure reading, every blood test, everything everything, everything.

    I assure you that few physicians anywehere else have that info unless they are using one of the few commercial systems based on that of the VA.

    So this not not merely (!) about SS numbers or unlisted phone numbers. The real problem, contrary to the uniformed comment is that the VA knows very well how to use a computer.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Anonymous Coward, May 13th, 2010 @ 7:44pm

    Veterans and American taxpayers expect a higher standard from the VA...."

    American taxpayers might expect more, but Veterans? Oh hell no. The VA is known for incompetence in most areas. The average wait time on disability is two years and they're liable to lose your medical records at least once.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Anonymous Coward, May 13th, 2010 @ 9:01pm

    Data is hard to protect. Ask Google, it can't even protect its crown jewel.

     

    reply to this | link to this | view in thread ]

  6.  
    icon
    Dementia (profile), May 14th, 2010 @ 4:38am

    Re:

    Mine took 8 months and no lost records. All the dealings I've had with the VA medical have gone very well. The education benefit side of the house on the other hand.....

     

    reply to this | link to this | view in thread ]

  7.  
    icon
    rwahrens (profile), May 14th, 2010 @ 5:06am

    not hard

    I work for the FDA.

    EVERY laptop we buy goes through a central receiving facility, where it has a standard image put on it - that includes whole disk encryption.

    If one of these laptops gets lost, its a boat anchor without that password.

    Also, we use, extensively, a secure remote access system through which all employes can access data - securely and without storing anything on the local hard drive.

    It really isn't hard. Expensive? Yes, but no more expensive than responding to a lawsuit, and the money is spent in a more productive manner!

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    abc gum, May 14th, 2010 @ 5:13am

    Re: not hard

    "If one of these laptops gets lost, its a boat anchor without that password."

    Typical disk encryption is not uncrackable

    "Expensive? Yes"

    Doesn't have to be

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    JD, May 14th, 2010 @ 5:30am

    The VA has Guardianedge. Maybe it is too hard to for them to deploy?

     

    reply to this | link to this | view in thread ]

  10.  
    icon
    Spaceman Spiff (profile), May 14th, 2010 @ 6:59am

    No incentive to change

    As long as there are no severe repercussions for the management of the VA (such as losing their jobs, or jail time), then there is no incentive for them to change their behavior. Since the VA is an agency of the US federal government, it is up to Congress to put some teeth into the regulations that govern the VA and other agencies that are under their purview, and we know just how likely that is...

     

    reply to this | link to this | view in thread ]

  11.  
    identicon
    Anonymous Coward, May 14th, 2010 @ 7:40am

    VA Data Protection

    I do research at the VA, and I can attest to the fact that, over the last 6 months, they have been pushing HARD for people to follow new IT security guidelines. All laptops, thumb drives, and external hard drives are supposed to be encrypted. Any personal laptops, thumb drives, or external hard drives are not allowed on the premises and are supposed to be confiscated if found. I think the problem isn't that upper management isn't making an effort, but that, for a national agency this large, there is a fair amount of momentum in changing the behaviors of employees. Its a shame that this happened again, and I expect they'll make some token effort to lock things down even more, but the reality is that, with a little bit of time, I bet their policies will make a difference.

     

    reply to this | link to this | view in thread ]

  12.  
    icon
    NetSurfer (profile), May 14th, 2010 @ 7:58am

    DVA not VA

    FWIW the old Veterans Administration became the current Department of Veterans Affairs (by being made a cabinet level agency) many years ago, so the more accurate reference is "Veterans Affairs" and not "the Veterans Administration". Also VA does not have "members" but rather VA serves veterans and their dependents. It isn't a club you join but rather a benefit you gain from having served honorably in the military or by being related to someone who has thusly served.

     

    reply to this | link to this | view in thread ]

  13.  
    icon
    Sean T Henry (profile), May 14th, 2010 @ 8:05am

    HAHAHAHA

    "I attribute the continued lack of security to poor memory among VA's senior management"

    So they are saying the reason for this is that the VA had a SENIOR moment. HAHA

     

    reply to this | link to this | view in thread ]

  14.  
    icon
    ChurchHatesTucker (profile), May 14th, 2010 @ 10:22am

    Re: ignorant remarks are . . . ignorant

    "ChurchHatesTucker has not clue and therefore discounts his comment."

    Um. OK.

    "The real problem, contrary to the uniformed comment is that the VA knows very well how to use a computer."

    As I said, it's not that they can use a computer *well*, it's that they can use it at all.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This