Veterans Administration Now Known As Ministry For Data Leaks

from the leak-rinse-repeat dept

Tue, Feb 6th 2007 11:43am — Carlo Longino

In the middle of last year, a laptop and hard drive containing personal information on 26.5 million US veterans were stolen from an employee's home. While the equipment was recovered, and the government claimed the data had not been accessed, the theft highlighted the lax security procedures of the VA -- and another theft a few months later reinforced it. Now, try not to be surprised, but it's happened again, as portable hard drive containing personal information on 48,000 vets has gone missing from an Alabama facility. Despite the VA saying it was beefing up data security after the first theft by taking measures including putting encryption software on all its laptops and desktop PCs, apparently as many as 20,000 records on this latest hard drive weren't encrypted. While encryption is by no means a cure-all, it's pretty ridiculous that even after the previous high-profile events, the VA still can't be bothered to even take this first step with all its data. There's a total lack of accountability and responsibility here: while there's been talk of mandating stiffer penalties for individuals who are negligent with personal data, that's nothing more than smoke and mirrors. It hides the real problem, which is an environment that, from the top down, accepts and excuses this sort of behavior. Until that changes, expect more data leaks.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

9 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

dorpus, 6 Feb 2007 @ 12:08pm

Hey, that's across the street
from where I take classes. I drive by the VA every day.

What would anyone do with data theft in Alabama, though? I enjoy the local low-security culture. It's not like California, where security guard bullies are always threatening to arrest anyone who so much as walks into a store through the wrong entrance.
[ link to this | view in chronology ]
- Bill Hoffer, 6 Feb 2007 @ 1:23pm
  
  Re: Hey, that's across the street
  "security guard bullies"? Like the ones at Disney Land and who drive around shopping malls and school grounds in golf carts? You are afraid of these people? The phrase, "threatening to arrest" is funny - it sounds similar to something a school girl might say to another school kid who is making faces at her.
  [ link to this | view in chronology ]
  - dorpus, 6 Feb 2007 @ 10:31pm
    
    Re: Re: Hey, that's across the street
    "security guard bullies"? Like the ones at Disney Land and who drive around shopping malls and school grounds in golf carts? You are afraid of these people? The phrase, "threatening to arrest" is funny - it sounds similar to something a school girl might say to another school kid who is making faces at her.
    
    They are allowed to arrest people, they carry handcuffs and pepper spray, sometimes even guns. They are usually incompetent Mexican-Americans on a power trip. I haven't been arrested, but I've seen them do it to others for trivial offenses like standing in the wrong place.
    [ link to this | view in chronology ]
Neonghost, 6 Feb 2007 @ 12:39pm

HIPPA
The VA handles health care related issues and that means HIPPA. I work in IT for a University hospital and deal with HIPPA related issue very often. A first offence, even accidental, of exposing protected health information can be a year in jial and a 10g fine. And that if I accidently put a patients room number in a clear text field.

However outside of IT I have found no one takes HIPPA seriously. Just goes to show you that if you don't understand a thing you don't respect it.
[ link to this | view in chronology ]
SPR, 6 Feb 2007 @ 1:26pm

Electronic Security
When the government that imposses laws like HIPAA on us then exempts governmental agencies from it's requirements, how can you expect them to take anything of yours (data or otherwise) seriously?
[ link to this | view in chronology ]
Anonymous Coward, 6 Feb 2007 @ 3:08pm

It hides the real problem, which is an environment that, from the top down, accepts and excuses this sort of behavior.
The VA is part of the executive branch of the US government and the president is at the "top" of the executive branch.
[ link to this | view in chronology ]
Petty Officer White, 6 Feb 2007 @ 4:25pm

Shame
Damn shame. Get the right people in place to do the job and get it done. Again and again, damned shame. Horrible way to house, store, and administer information of Veterans.

Who cares about veterans with short-order lovers, car chases, knuckheads who eat their children, politicians posing for dingle-boy magazine, runners to corner blocks for daily shooters of ills we lover, and the veteran begs for a dollar while offering directions to Macy's on G street....

Can I get a war, so Vets can find some love!!!
[ link to this | view in chronology ]
- Dave, 7 Feb 2007 @ 10:52pm
  
  Re: Shame
  I agree with you, Chief, I am a disabled vet but would gladly do any job the military would put me in if only they would use me for something. Give me a war, too.
  [ link to this | view in chronology ]
Ray Trygstad, 6 Feb 2007 @ 8:12pm

It's a Policy Issue!
This is not a failure of technology: it's a failure of policy, which is the core management tool for information security. There has to be a policy governing data on portable devices, the policy has to be enforced, and there has to be consequences for failure to comply. The policy might prescribe a technological control (i.e. encryption), but there has to be policy. This certainly does not seem to be the case in the Department of Veteran's Affairs.

BTW the government is NOT exempt from HIPAA; on top of that, as a Federal agency, the DVA is also subject to FISMA, the Federal Information Security Management Act, which is much tougher than any IT security standards legislatively required of any commercial entities.
[ link to this | view in chronology ]