Matthew Burns, spokesman for the department, said the contractor, Unisys, told the VA that the computer was missing from its Reston, Va., offices on Thursday, Aug. 3.
VA officials receiving the report immediately relayed it to the Secretary of Veterans Affairs, R. James Nicholson, as well as to the agencys Inspector General, congressional leaders, the FBI and to the Department of Homeland Securitys Computer Emergency Response Team.
"VAs Inspector General, the FBI and local law enforcement are conducting a thorough investigation of this matter," Nicholson said, in a prepared statement.
According to Burns, a security team was dispatched to the Unisys location as soon as the agency found out about the missing computer.
Burns said that the information on the missing computer included veterans names, addresses, Social Security numbers and birth dates, as well as insurance carriers, billing information and details of military service.
He said the information came from about 5,000 patients at a Philadelphia VA Medical Center, about 11,000 from Pittsburgh, Pa., and about 2,000 deceased patients.
In addition, the VA said it believes that about 20,000 more who received care at the Pittsburgh Medical Center may be included.
"VA is making progress to reform its information technology and cyber-security procedures, but this report of a missing computer at a subcontractors secure building underscores the complexity of the work ahead as we establish VA as a leader in data and information security," Nicholson said in his prepared statement.
Burns said Unisys is cooperating fully with the VA in conducting the investigation. "Unisys will be working with VA regarding the notification of potentially affected veterans and the offering of credit monitoring. The company will continue to work with the VA and law enforcement to address this incident," said Unisys spokesperson Lisa Meyer in a prepared statement.
Ted Davies, managing partner, Civilian Agencies, for Unisys Federal Systems in Reston, Va., said that he hopes the situation is solved quickly.
"The sphere of where it might be is very small," Davies told eWEEK.
He said that Unisys, along with the VA, the FBI and Homeland Security are sifting through evidence to find the missing computer.
"I cant give out details, but it was a desktop computer," Davies said.
He said that the contract requirements mandated that the computer have a password for the computer itself, and a separate password for the database that contained the missing names. Davies also noted that Unisys met all applicable HIPAA requirements.
"The building is a fairly secure facility," Davies said.
"Were using all available data about the time and from where it disappeared. There was a lot of good information we could gather," he added.
"We have a lot of physical evidence. Were focusing some interviews around that, and were doing that in conjunction with the VA and other authorities," Davies said.
Davies noted that he hopes events move quickly.
While he noted that he cant speculate when the case would be solved, he said he hopes its soon.
"We have devoted all sorts of corporate resources to this. This is a high priority for our organization," he said.
Security consultant David Taylor says Unisys is doing the right thing.
"Heres a case where a well-respected organization with proper security got hit," he said.
"Imagine what its like for organizations that dont have security in place. If Unisys wasnt so diligent, it wouldnt have been reported," he said.
Taylor said such responsible reporting is a rarity.
"Subcontractors are often not inspected or reviewed," he said. "The larger ones have very little oversight."
He said that about 90 percent of contractors hes worked with dont have the inspections theyre supposed to have.
Davies, meanwhile, said that he hopes to be able to report new developments quickly. "Stay tuned," he said.
Editors Note: This story was updated to include additional comments from Unisys and security consultant David Taylor.