VA Continues Its Annual Tradition Of Losing Laptop With Unencrypted Sensitive Data

from the the-ministry-of-data-leaks dept

Thu, May 13th 2010 6:33pm — Mike Masnick

When we last checked in with the Veterans Administration (VA) it was to suggest that it rename itself the "Ministry of Data Leaks." That's because every year or so they admit that they've lost a computer that happens to contain unencrypted personal data on VA members. And, each report seems to get worse than the previous one. So you would think that, by now, the VA would have at least put in place some system to encrypt and protect the data it stores. That would be wishful thinking. It's now come out that the VA has had two major data breaches in just the last month -- both involving laptops that had unencrypted data.

Of course, this comes after those earlier breaches cost taxpayers tens of millions of dollars in notifications and in response to a class action lawsuit, leading Congress to require the VA to encrypt its data. Apparently, the VA didn't bother to actually follow through on that requirement. Congress is now investigating again, with the following statement from Rep. Steve Buyer in kicking off the investigation:

"I attribute the continued lack of security to poor memory among VA's senior management, and its failure to realize the magnitude of the problem that could have been prevented," Buyer writes. "This is an inexcusable abrogation of responsibility that would not be tolerated in any private company. Veterans and American taxpayers expect a higher standard from the VA...."

Not that I expect a Congressional investigation to be very effective, but at some point you have to wonder what folks at the VA are thinking.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data leak, encryption
Companies: va, veterans administration

14 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

ChurchHatesTucker (profile), 13 May 2010 @ 6:49pm

Oh please
It's the VA. It's not that they can use a computer well, it's that they can use it at all...
[ link to this | view in chronology ]
Anonymous Coward, 13 May 2010 @ 7:29pm

lack of competent people and enforcing physical security and adherence to Information Assurance protocols
[ link to this | view in chronology ]
Joe Harkins, 13 May 2010 @ 7:33pm

ignorant remarks are . . . ignorant
ChurchHatesTucker has not clue and therefore discounts his comment. The potential for harm in the data release is magnified by one simple fact. The VA has the widely acknowledged and most complete dossier on every person it handles. The medical records system is the envy of the medical world. Speaking as one who has been a 16-year patient of theirs for heavy duty issues (cured prostate cancer, cured skin cancer, etc.)

I know first hand that I can walk into any VA hospital at any hou5 of the night or any day of the year (like I once did Thanksgiving Day at 4am 400 miles from home) and the person treating me has a total, in-depth, chronological, searchable history of every thing about me on screen. They have every allergy, every medication past and current, every procedure, every blood pressure reading, every blood test, everything everything, everything.

I assure you that few physicians anywehere else have that info unless they are using one of the few commercial systems based on that of the VA.

So this not not merely (!) about SS numbers or unlisted phone numbers. The real problem, contrary to the uniformed comment is that the VA knows very well how to use a computer.
[ link to this | view in chronology ]
- ChurchHatesTucker (profile), 14 May 2010 @ 10:22am
  
  Re: ignorant remarks are . . . ignorant
  "ChurchHatesTucker has not clue and therefore discounts his comment."
  
  Um. OK.
  
  "The real problem, contrary to the uniformed comment is that the VA knows very well how to use a computer."
  
  As I said, it's not that they can use a computer *well*, it's that they can use it at all.
  [ link to this | view in chronology ]
Anonymous Coward, 13 May 2010 @ 7:44pm

Veterans and American taxpayers expect a higher standard from the VA...."

American taxpayers might expect more, but Veterans? Oh hell no. The VA is known for incompetence in most areas. The average wait time on disability is two years and they're liable to lose your medical records at least once.
[ link to this | view in chronology ]
- Dementia (profile), 14 May 2010 @ 4:38am
  
  Re:
  Mine took 8 months and no lost records. All the dealings I've had with the VA medical have gone very well. The education benefit side of the house on the other hand.....
  [ link to this | view in chronology ]
Anonymous Coward, 13 May 2010 @ 9:01pm

Data is hard to protect. Ask Google, it can't even protect its crown jewel.
[ link to this | view in chronology ]
rwahrens (profile), 14 May 2010 @ 5:06am

not hard
I work for the FDA.

EVERY laptop we buy goes through a central receiving facility, where it has a standard image put on it - that includes whole disk encryption.

If one of these laptops gets lost, its a boat anchor without that password.

Also, we use, extensively, a secure remote access system through which all employes can access data - securely and without storing anything on the local hard drive.

It really isn't hard. Expensive? Yes, but no more expensive than responding to a lawsuit, and the money is spent in a more productive manner!
[ link to this | view in chronology ]
- abc gum, 14 May 2010 @ 5:13am
  
  Re: not hard
  "If one of these laptops gets lost, its a boat anchor without that password."
  
  Typical disk encryption is not uncrackable
  
  "Expensive? Yes"
  
  Doesn't have to be
  [ link to this | view in chronology ]
JD, 14 May 2010 @ 5:30am

The VA has Guardianedge. Maybe it is too hard to for them to deploy?
[ link to this | view in chronology ]
Spaceman Spiff (profile), 14 May 2010 @ 6:59am

No incentive to change
As long as there are no severe repercussions for the management of the VA (such as losing their jobs, or jail time), then there is no incentive for them to change their behavior. Since the VA is an agency of the US federal government, it is up to Congress to put some teeth into the regulations that govern the VA and other agencies that are under their purview, and we know just how likely that is...
[ link to this | view in chronology ]
Anonymous Coward, 14 May 2010 @ 7:40am

VA Data Protection
I do research at the VA, and I can attest to the fact that, over the last 6 months, they have been pushing HARD for people to follow new IT security guidelines. All laptops, thumb drives, and external hard drives are supposed to be encrypted. Any personal laptops, thumb drives, or external hard drives are not allowed on the premises and are supposed to be confiscated if found. I think the problem isn't that upper management isn't making an effort, but that, for a national agency this large, there is a fair amount of momentum in changing the behaviors of employees. Its a shame that this happened again, and I expect they'll make some token effort to lock things down even more, but the reality is that, with a little bit of time, I bet their policies will make a difference.
[ link to this | view in chronology ]
NetSurfer (profile), 14 May 2010 @ 7:58am

DVA not VA
FWIW the old Veterans Administration became the current Department of Veterans Affairs (by being made a cabinet level agency) many years ago, so the more accurate reference is "Veterans Affairs" and not "the Veterans Administration". Also VA does not have "members" but rather VA serves veterans and their dependents. It isn't a club you join but rather a benefit you gain from having served honorably in the military or by being related to someone who has thusly served.
[ link to this | view in chronology ]
Sean T Henry (profile), 14 May 2010 @ 8:05am

HAHAHAHA
"I attribute the continued lack of security to poor memory among VA's senior management"

So they are saying the reason for this is that the VA had a SENIOR moment. HAHA
[ link to this | view in chronology ]