A VA contractor has discovered that a computer containing information on as many as 38,000 veterans is missing, officials at the Department of Veterans Affairs announced on Aug. 7. In addition, law enforcement officials announced that two men suspected of stealing a VA laptop had been formally charged on Aug. 5 with those thefts.
The contractor, Unisys, will provide credit monitoring services to all veterans who were potentially affected by the data breach, according to Ted Davies, managing partner of Civilian Agencies for Unisys Federal Systems, in Reston, Va. He said that while Unisys had not signed a contract, the company was "on the verge" of doing so. He also said that the VA will inform all potentially affected veterans of this service.
Matthew Burns, spokesperson for the department, in Washington, said Unisys told the VA on Aug. 3 that the computer was missing from its Reston offices.
VA officials receiving the report immediately relayed it to the secretary of Veterans Affairs, R. James Nicholson, as well as to the agencys inspector general, congressional leaders, the FBI and the Department of Homeland Securitys Computer Emergency Response Team.
"VAs inspector general, the FBI and local law enforcement are conducting a thorough investigation of this matter," Nicholson said in a prepared statement.
Burns said that the information on the missing computer included veterans names, addresses, Social Security numbers and birth dates, as well as insurance carriers, billing information and details of military service.
Meanwhile, a pair of Maryland men have been charged with taking the laptop that contained the personal information of 26.5 million veterans and active duty military personnel, authorities said. The men, Jesus Alex Pineda and Christian Brian Montano, are both 19 and are both of Rockville, Md..
The men have been charged with stealing the laptop from the Aspen Hill, Md., home of Department of Veterans Affairs analyst Wayne Johnson on May 3. The charges against them include first-degree burglary and theft of more than $500. Montano was also charged with conspiracy. Police said that they will also charge a minor in the case but did not release his name because of his age. That person is already incarcerated. A trial date has not been set.
It did not appear that the men were after the information stored on the computer and external hard drive, the Montgomery County Police Department said in a statement.
In describing the Unisys data loss, Burns said the information came from about 5,000 patients at the Philadelphia VA Medical Center, from about 11,000 patients in Pittsburgh and from about 2,000 deceased patients. In addition, the VA said it believes that about 20,000 more who received care at the Pittsburgh Medical Center could be included.
"VA is making progress to reform its information technology and cyber-security procedures, but this report of a missing computer at a subcontractors secure building underscores the complexity of the work ahead as we establish VA as a leader in data and information security," Nicholson said in his statement.
"Unisys will be working with VA regarding the notification of potentially affected veterans and the offering of credit monitoring, said Unisys spokesperson Lisa Meyer in a prepared statement.
Davies said he hopes the situation is resolved quickly. "The sphere of where it might be is very small," Davies told eWeek.
He said that Unisys, along with the VA, the FBI and Homeland Security, are sifting through evidence to find the missing computer.
Davies said that the contract requirements mandated that the computer have a password for the computer itself and a separate password for the database that contained the missing names. Davies also noted that Unisys met all applicable HIPAA (Health Insurance Portability and Accountability Act) requirements. "The building is a fairly secure facility," Davies said.
"Were using all available data about the time and from where it disappeared. There was a lot of good information we could gather," Davies said. While he noted that he cant speculate when the case might be solved, he said he hopes its soon. "This is a high priority for our organization," he said.
Security consultant David Taylor, of Stamford, Conn., said Unisys is doing the right thing. "Heres a case where a well-respected organization with proper security got hit," he said. "Imagine what its like for organizations that dont have security in place. If Unisys wasnt so diligent, it wouldnt have been reported."
Data (in)security at the VA
While the Department of Veterans Affairs hasnt had a monopoly on recent data breaches, its certainly been the subject of an uncomfortable percentage of headlines. Heres a timeline that charts the agencys data security woes:
March 16, 2006
VA receives failing grade on 2005 FISMA data security report card
May 3, 2006
VA laptop containing information on 26.5 million veterans is stolen from the home of VA analyst Wayne Johnson in Aspen Hill, Md.
June 22, 2006
VA admits to theft of laptop containing information on 26.5 million veterans
July 28, 2006
Missing VA laptop is recovered
Aug. 5, 2006
Alleged laptop thieves are charged
Aug. 8, 2006
VA contractor loses computer with as many as 38,000 veterans records