After spending the past few months getting an earful from angry veterans and posturing politicians, the Veterans Affairs Department thought it might begin to distance itself from the stigma of May's stolen laptop and hard drive containing sensitive information about millions of veterans and their spouses. Not so. Veterans Affairs Monday delivered cringe-inducing news that a PC containing personal information on thousands of veterans is missing from a Unisys office.
The VA hired subcontractor Unisys to assist in insurance collections for the department's medical centers in Pittsburgh and Philadelphia. On Aug. 3, Unisys informed the VA that a computer was missing from its Reston, Va., offices. According to VA officials, information on the desktop computer was password protected but was not encrypted. The VA's initial estimates indicate that the computer contained information on about 5,000 patients treated in Philadelphia, 11,000 patients treated in Pittsburgh, and 2,000 deceased patients. The VA is also investigating the possibility the computer may have contained information on another 20,000 people who received care through the Pittsburgh medical center.
That pales in comparison with the laptop theft that took place in May and included 26.5 million records. The VA issued a statement Monday saying it believes the desktop computer may have contained patients' names, addresses, Social Security numbers, dates of birth, insurance carriers and billing information, dates of military service, and claims data that may include some medical information.
The VA said this time around it alerted Secretary James Nicholson as well as the department's deputy secretary, certain congressional offices and committees, the VA Office of the Inspector General, the FBI, and the Homeland Security Department's Computer Emergency Response Team. The VA took a lot of heat after the last theft because Nicholson said he didn't find out about the missing laptop until weeks after the crime.
"VA is making progress to reform its information technology and cyber security procedures, but this report of a missing computer at a subcontractor's secure building underscores the complexity of the work ahead as we establish VA as a leader in data and information security," Nicholson said in a statement.
After several hearings lambasting the VA's lack of organization and inadequate security measures, Congress' reaction has been a bit more circumspect so far in reaction to this latest theft. "We clearly appear to have a systems problem with VA data security that needs to be fixed," Sen. Larry Craig (R-Idaho), who chairs the Senate oversight committee on veterans' issues, said in a prepared statement. "Since it was a private contractor involved, I expect VA to hold the contractor financially responsible for any costs that veterans may incur as the result of this loss."
The news isn't all bad for the VA. Over the weekend Montgomery County, Md., police arrested two 19-year-olds for the original laptop and hard drive theft. A third person, a juvenile, also is being held in custody.
Both of the 19-year-olds were charged with first-degree burglary and theft over $500. The Hewlett-Packard HPZV5360 laptop and HP PC170 external hard drive were recovered on June 28 after the U.S. Park Police received information about the computer equipment's whereabouts. Police say the suspects did not know the laptop and hard drive contained sensitive government information until after a reward was posted for their return.