VA Continues Its Annual Tradition Of Losing Laptop With Unencrypted Sensitive Data
from the the-ministry-of-data-leaks dept
When we last checked in with the Veterans Administration (VA) it was to suggest that it rename itself the “Ministry of Data Leaks.” That’s because every year or so they admit that they’ve lost a computer that happens to contain unencrypted personal data on VA members. And, each report seems to get worse than the previous one. So you would think that, by now, the VA would have at least put in place some system to encrypt and protect the data it stores. That would be wishful thinking. It’s now come out that the VA has had two major data breaches in just the last month — both involving laptops that had unencrypted data.
Of course, this comes after those earlier breaches cost taxpayers tens of millions of dollars in notifications and in response to a class action lawsuit, leading Congress to require the VA to encrypt its data. Apparently, the VA didn’t bother to actually follow through on that requirement. Congress is now investigating again, with the following statement from Rep. Steve Buyer in kicking off the investigation:
“I attribute the continued lack of security to poor memory among VA’s senior management, and its failure to realize the magnitude of the problem that could have been prevented,” Buyer writes. “This is an inexcusable abrogation of responsibility that would not be tolerated in any private company. Veterans and American taxpayers expect a higher standard from the VA….”
Not that I expect a Congressional investigation to be very effective, but at some point you have to wonder what folks at the VA are thinking.
Filed Under: data leak, encryption
Companies: va, veterans administration
Comments on “VA Continues Its Annual Tradition Of Losing Laptop With Unencrypted Sensitive Data”
Oh please
It’s the VA. It’s not that they can use a computer well, it’s that they can use it at all…
lack of competent people and enforcing physical security and adherence to Information Assurance protocols
ignorant remarks are . . . ignorant
ChurchHatesTucker has not clue and therefore discounts his comment. The potential for harm in the data release is magnified by one simple fact. The VA has the widely acknowledged and most complete dossier on every person it handles. The medical records system is the envy of the medical world. Speaking as one who has been a 16-year patient of theirs for heavy duty issues (cured prostate cancer, cured skin cancer, etc.)
I know first hand that I can walk into any VA hospital at any hou5 of the night or any day of the year (like I once did Thanksgiving Day at 4am 400 miles from home) and the person treating me has a total, in-depth, chronological, searchable history of every thing about me on screen. They have every allergy, every medication past and current, every procedure, every blood pressure reading, every blood test, everything everything, everything.
I assure you that few physicians anywehere else have that info unless they are using one of the few commercial systems based on that of the VA.
So this not not merely (!) about SS numbers or unlisted phone numbers. The real problem, contrary to the uniformed comment is that the VA knows very well how to use a computer.
Re: ignorant remarks are . . . ignorant
“ChurchHatesTucker has not clue and therefore discounts his comment.”
Um. OK.
“The real problem, contrary to the uniformed comment is that the VA knows very well how to use a computer.”
As I said, it’s not that they can use a computer *well*, it’s that they can use it at all.
Veterans and American taxpayers expect a higher standard from the VA….”
American taxpayers might expect more, but Veterans? Oh hell no. The VA is known for incompetence in most areas. The average wait time on disability is two years and they’re liable to lose your medical records at least once.
Re: Re:
Mine took 8 months and no lost records. All the dealings I’ve had with the VA medical have gone very well. The education benefit side of the house on the other hand…..
Data is hard to protect. Ask Google, it can’t even protect its crown jewel.
not hard
I work for the FDA.
EVERY laptop we buy goes through a central receiving facility, where it has a standard image put on it – that includes whole disk encryption.
If one of these laptops gets lost, its a boat anchor without that password.
Also, we use, extensively, a secure remote access system through which all employes can access data – securely and without storing anything on the local hard drive.
It really isn’t hard. Expensive? Yes, but no more expensive than responding to a lawsuit, and the money is spent in a more productive manner!
Re: not hard
“If one of these laptops gets lost, its a boat anchor without that password.”
Typical disk encryption is not uncrackable
“Expensive? Yes”
Doesn’t have to be
The VA has Guardianedge. Maybe it is too hard to for them to deploy?
No incentive to change
As long as there are no severe repercussions for the management of the VA (such as losing their jobs, or jail time), then there is no incentive for them to change their behavior. Since the VA is an agency of the US federal government, it is up to Congress to put some teeth into the regulations that govern the VA and other agencies that are under their purview, and we know just how likely that is…
VA Data Protection
I do research at the VA, and I can attest to the fact that, over the last 6 months, they have been pushing HARD for people to follow new IT security guidelines. All laptops, thumb drives, and external hard drives are supposed to be encrypted. Any personal laptops, thumb drives, or external hard drives are not allowed on the premises and are supposed to be confiscated if found. I think the problem isn’t that upper management isn’t making an effort, but that, for a national agency this large, there is a fair amount of momentum in changing the behaviors of employees. Its a shame that this happened again, and I expect they’ll make some token effort to lock things down even more, but the reality is that, with a little bit of time, I bet their policies will make a difference.
DVA not VA
FWIW the old Veterans Administration became the current Department of Veterans Affairs (by being made a cabinet level agency) many years ago, so the more accurate reference is “Veterans Affairs” and not “the Veterans Administration”. Also VA does not have “members” but rather VA serves veterans and their dependents. It isn’t a club you join but rather a benefit you gain from having served honorably in the military or by being related to someone who has thusly served.
HAHAHAHA
“I attribute the continued lack of security to poor memory among VA’s senior management”
So they are saying the reason for this is that the VA had a SENIOR moment. HAHA