The contractor served the VA's pharmacy program and the laptop contained patient names and Social Security numbers, among other information, on 616 veterans. The response is a "drastic change" from the VA's handling of a huge breach in 2006 that eventually affected about 28.7 million individuals, the spokesperson acknowledges.
The contractor's employee who owned the vehicle immediately notified supervisors and the local police of the theft, according to VA. The contractor promptly disabled the user account and server access from the laptop and all files on the servers were secured.
The contractor reported the theft to VA on April 23. The department has not detected any breach of the files and the contractor has now encrypted all company computers.
By May 10, all 616 affected veterans, treated in 30 facilities across the nation, had been mailed notification letters that included an offer for free credit protection services.
The VA notified the Department of Health and Human Services of the data breach on May 15, well inside the 60-day time period mandated under the breach notification rule.
While the VA requires encryption of protected health information, it has come under scrutiny for not ensuring contractors follow department-prescribed security practices.
A review last year of 22,729 VA contracts found 6,440 contracts did not include an information security clause, which governs how data will be protected.
But contractors for 578 of the contracts refused to add the clause without the VA taking action to enforce its I.T. security policies, according to Rep. Steve Buyer (R-Ind.), ranking member of the House Veterans Affairs Committee in a May letter to VA Secretary Eric Shinseki.
Buyer also noted that more than a third of the contracts VA has with the contractor with responsibility for the laptop that was stolen don't have the security clause.
The VA says it has 68 contracts with the contractor in question. Fourteen of those contracts pertained to data involved in the laptop theft.
The VA now is conducting a "focused assessment" of the contractor's facility to determine compliance with all information security, privacy and records management protocols.
Be the first to comment on this post using the section below.