The Department of Veterans Affairs moved quickly to notify affected patients and federal officials following the theft of an unencrypted laptop from a contractor's personal vehicle on April 22, according to a departmental spokesperson.

The contractor served the VA's pharmacy program and the laptop contained patient names and Social Security numbers, among other information, on 616 veterans. The response is a "drastic change" from the VA's handling of a huge breach in 2006 that eventually affected about 28.7 million individuals, the spokesperson acknowledges.

The contractor's employee who owned the vehicle immediately notified supervisors and the local police of the theft, according to VA. The contractor immediately disabled the user account and server access from the laptop and all files on the servers were secured. The contractor reported the theft to VA on April 23. The department has not detected any beach of the files and the contractor has now encrypted all company computers.

By May 10, all 616 affected veterans, served in 30 facilities across the nation, had been mailed notification letters that included an offer for free credit protection services. VA notified the Department of Health and Human Services of the data breach on May 15, well inside the 60-day time period mandated under the breach notification rule.

While the VA requires encryption of protected health information, it has come under scrutiny for not ensuring contractors follow department-prescribed security practices.

A review last year of 22,729 VA contracts found 6,440 contracts did not include an information security clause, but contractors for 578 of the contracts refused to add the clause "without any apparent VA action to enforce its I.T. security policies," according to Rep. Steve Buyer (R-Ind.), ranking member of the House Veterans Affairs Committee in a May letter to VA Secretary Eric Shinseki. Buyer also noted that more than a third of the contracts VA has with the contractor responsible for the stolen laptop don't have the security clause (see story).

The VA notes that the contractor has 68 contracts with the department, 14 of which affected VA facilities involved in the laptop theft. Of these 14 contracts, 12 have a security clause and two include a business associate agreement. The VA now is conducting a "focused assessment" of the contractor's facility to determine compliance with all information security, privacy and records management protocols.

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access