VA Continues Its Annual Tradition Of Losing Laptop With Unencrypted Sensitive Data

from the the-ministry-of-data-leaks dept

When we last checked in with the Veterans Administration (VA) it was to suggest that it rename itself the "Ministry of Data Leaks." That's because every year or so they admit that they've lost a computer that happens to contain unencrypted personal data on VA members. And, each report seems to get worse than the previous one. So you would think that, by now, the VA would have at least put in place some system to encrypt and protect the data it stores. That would be wishful thinking. It's now come out that the VA has had two major data breaches in just the last month -- both involving laptops that had unencrypted data.

Of course, this comes after those earlier breaches cost taxpayers tens of millions of dollars in notifications and in response to a class action lawsuit, leading Congress to require the VA to encrypt its data. Apparently, the VA didn't bother to actually follow through on that requirement. Congress is now investigating again, with the following statement from Rep. Steve Buyer in kicking off the investigation:
"I attribute the continued lack of security to poor memory among VA's senior management, and its failure to realize the magnitude of the problem that could have been prevented," Buyer writes. "This is an inexcusable abrogation of responsibility that would not be tolerated in any private company. Veterans and American taxpayers expect a higher standard from the VA...."
Not that I expect a Congressional investigation to be very effective, but at some point you have to wonder what folks at the VA are thinking.
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data leak, encryption
Companies: va, veterans administration


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    ChurchHatesTucker (profile), 13 May 2010 @ 6:49pm

    Oh please

    It's the VA. It's not that they can use a computer well, it's that they can use it at all...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 May 2010 @ 7:29pm

    lack of competent people and enforcing physical security and adherence to Information Assurance protocols

    link to this | view in chronology ]

  • identicon
    Joe Harkins, 13 May 2010 @ 7:33pm

    ignorant remarks are . . . ignorant

    ChurchHatesTucker has not clue and therefore discounts his comment. The potential for harm in the data release is magnified by one simple fact. The VA has the widely acknowledged and most complete dossier on every person it handles. The medical records system is the envy of the medical world. Speaking as one who has been a 16-year patient of theirs for heavy duty issues (cured prostate cancer, cured skin cancer, etc.)

    I know first hand that I can walk into any VA hospital at any hou5 of the night or any day of the year (like I once did Thanksgiving Day at 4am 400 miles from home) and the person treating me has a total, in-depth, chronological, searchable history of every thing about me on screen. They have every allergy, every medication past and current, every procedure, every blood pressure reading, every blood test, everything everything, everything.

    I assure you that few physicians anywehere else have that info unless they are using one of the few commercial systems based on that of the VA.

    So this not not merely (!) about SS numbers or unlisted phone numbers. The real problem, contrary to the uniformed comment is that the VA knows very well how to use a computer.

    link to this | view in chronology ]

    • icon
      ChurchHatesTucker (profile), 14 May 2010 @ 10:22am

      Re: ignorant remarks are . . . ignorant

      "ChurchHatesTucker has not clue and therefore discounts his comment."

      Um. OK.

      "The real problem, contrary to the uniformed comment is that the VA knows very well how to use a computer."

      As I said, it's not that they can use a computer *well*, it's that they can use it at all.

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 May 2010 @ 7:44pm

    Veterans and American taxpayers expect a higher standard from the VA...."

    American taxpayers might expect more, but Veterans? Oh hell no. The VA is known for incompetence in most areas. The average wait time on disability is two years and they're liable to lose your medical records at least once.

    link to this | view in chronology ]

    • icon
      Dementia (profile), 14 May 2010 @ 4:38am

      Re:

      Mine took 8 months and no lost records. All the dealings I've had with the VA medical have gone very well. The education benefit side of the house on the other hand.....

      link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 May 2010 @ 9:01pm

    Data is hard to protect. Ask Google, it can't even protect its crown jewel.

    link to this | view in chronology ]

  • icon
    rwahrens (profile), 14 May 2010 @ 5:06am

    not hard

    I work for the FDA.

    EVERY laptop we buy goes through a central receiving facility, where it has a standard image put on it - that includes whole disk encryption.

    If one of these laptops gets lost, its a boat anchor without that password.

    Also, we use, extensively, a secure remote access system through which all employes can access data - securely and without storing anything on the local hard drive.

    It really isn't hard. Expensive? Yes, but no more expensive than responding to a lawsuit, and the money is spent in a more productive manner!

    link to this | view in chronology ]

    • identicon
      abc gum, 14 May 2010 @ 5:13am

      Re: not hard

      "If one of these laptops gets lost, its a boat anchor without that password."

      Typical disk encryption is not uncrackable

      "Expensive? Yes"

      Doesn't have to be

      link to this | view in chronology ]

  • identicon
    JD, 14 May 2010 @ 5:30am

    The VA has Guardianedge. Maybe it is too hard to for them to deploy?

    link to this | view in chronology ]

  • icon
    Spaceman Spiff (profile), 14 May 2010 @ 6:59am

    No incentive to change

    As long as there are no severe repercussions for the management of the VA (such as losing their jobs, or jail time), then there is no incentive for them to change their behavior. Since the VA is an agency of the US federal government, it is up to Congress to put some teeth into the regulations that govern the VA and other agencies that are under their purview, and we know just how likely that is...

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 14 May 2010 @ 7:40am

    VA Data Protection

    I do research at the VA, and I can attest to the fact that, over the last 6 months, they have been pushing HARD for people to follow new IT security guidelines. All laptops, thumb drives, and external hard drives are supposed to be encrypted. Any personal laptops, thumb drives, or external hard drives are not allowed on the premises and are supposed to be confiscated if found. I think the problem isn't that upper management isn't making an effort, but that, for a national agency this large, there is a fair amount of momentum in changing the behaviors of employees. Its a shame that this happened again, and I expect they'll make some token effort to lock things down even more, but the reality is that, with a little bit of time, I bet their policies will make a difference.

    link to this | view in chronology ]

  • icon
    NetSurfer (profile), 14 May 2010 @ 7:58am

    DVA not VA

    FWIW the old Veterans Administration became the current Department of Veterans Affairs (by being made a cabinet level agency) many years ago, so the more accurate reference is "Veterans Affairs" and not "the Veterans Administration". Also VA does not have "members" but rather VA serves veterans and their dependents. It isn't a club you join but rather a benefit you gain from having served honorably in the military or by being related to someone who has thusly served.

    link to this | view in chronology ]

  • icon
    Sean T Henry (profile), 14 May 2010 @ 8:05am

    HAHAHAHA

    "I attribute the continued lack of security to poor memory among VA's senior management"

    So they are saying the reason for this is that the VA had a SENIOR moment. HAHA

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.