Rep. Buyer: Why Isn't VA Data Encrypted?
Rep. Steve Buyer (R-Ind.), ranking member of the U.S. House Committee on Veterans Affairs, has sent a letter to VA Secretary Eric Shinseki expressing his "deepest" concern over the recent theft of an unencrypted laptop from a VA contractor, and the department's information security procedures.
Information Week first reported on the laptop theft. It was stolen from a personal vehicle on April 22 and contained sensitive information, including Social Security numbers, on more than 600 veterans receiving pharmacy services.
The VA notified the House VA committee on April 28. It also has notified affected veterans and offered credit protection services. A VA spokesperson did not immediately return a telephone call from Health Data Management asking for additional information such as whether the department has yet notified the Department of Health and Human Services' Office for Civil Rights of the breach.
The unidentified contractor in question has since encrypted its computers. But Rep. Buyer in his May 12 letter to Shinseki, says the contractor has 69 separately negotiated contracts with the VA and a review shows that 25 contracts did not include an information security clause.
That follows a comprehensive review last year of 22,729 VA contracts that found 6,440 contracts did not have the clause and 578 these contractors subsequently refused to add it, "without any apparent VA action to enforce its I.T. security policies," according to Buyer.
In his letter, Buyer notes the VA took several correction measures following the May 2006 of an unencrypted laptop containing protected information on 28.7 million individuals, but isn't following up on the measures. "It is apparent to me that the details of these breaches clearly indicate the VA lacks focus on its primary responsibility of protecting veterans' personal information. It also shows that senior managers have neglected their responsibilities, that there is no clear definition of responsibilities, nor a delineation of responsibilities. In short, there is a preponderance of evidence of a severely dysfunctional and broken procurement process in the Veterans Health Administration."
Buyer, in his letter, further reminds Shinseki that VA staff has not yet responded to his request last December to discuss pending procurement reform legislation. "With all these measures to protect our nation's veterans' information, it begs the question of why unencrypted devices are still accessing the VA's networks and storing information locally. We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use. Please advise the Committee within the next 30 days of your plan to decrease and eventually eliminate the use of unencrypted devices within the VA, particularly in the health care business line."
To read Buyer's entire letter, click here.