The U.S. Department of Veterans Affairs is investigating a potential data breach involving the theft of three computers containing personal data on potentially 12,000 individuals. This is not the first data breach to occur at the department, as last year a laptop and hard disk containing personal data on over 26.5 million veterans was stolen.
With this most current breach, two desktop PCs and one laptop containing personal data were stolen from a medical facility in Roudebush, Indiana – ironically enough, on Veterans Day. The records belong to patients who were treated at the hospital and include Social Security numbers and other personally identifiable information.
“It appears from this most recent breach that there are still some in the VA, even some responsible for the security of such data, who don’t realize the importance of the security of the names and data of our veterans,” Congressman Steve Buyer (R-Ind) said in a prepared statement.
According to Buyer, the VA notified his office of the breach on Thursday and are working on ascertaining the names and data of the people who might have been affected by the theft.
Buyer was the chairman of the House Veteran Affairs Committee last year and held 16 hearings on VA information technology with eight of them specifically on IT security. The hearings were designed to identity the issues that led to last year’s theft of a laptop and hard disk containing personal data on over 26.5 million veterans in May last year.
That incident led to a sweeping overhaul of the VA’s IT organization and more direct power being bestowed on the office of the CIO to make needed security changes.
“It is inexcusable that the VA repeatedly fails to comply with its own policy to safeguard veterans’ personal information,” Buyer said, adding that the agency needed to provide full credit monitoring to all those affected in the latest breach.
The Roudebush theft is the latest in a string of similar incident that have occurred at VA before and after the massive data breach in May 2006.
On January 22, 2007, an IT specialist at a VA medical center in Birmingham, Alabama, reported as missing (PDF format) hard disk containing personal data on over 250,000 veterans and an additional 1.3 million medical providers.
In August of last year, at the height of uproar over the May breach, the VA disclosed that Unisys, a subcontractor hired to assist in insurance collections for VA medical centers in Pittsburgh reported a missing computer containing personal data on over 16,000 veterans.
During a Buyer hearing into the May 2006 breach, VA officials disclosed several other prior security incidents that had happened at the department, including the loss of a back-up tape containing legal and case related information on 16,500 veterans from Indianapolis. Also disclosed during the hearing was another breach, this one involving the loss of SSNs and other personal data on 66 veterans; their data was compromised when a VA auditor put the papers with the data in the trunk of a rental car that was later stolen.
U.S. data breach notification law unlikely this year