In the wake of two data breaches of veterans’ health information, Rep. Steven Buyer, R-Ind., ranking Republican on the U.S. House Committee on Veterans’ Affairs, sent a stinging letter to Erik K.Shinseki, Secretary of the VA, criticizing the agency’s “continuing material weakness in veterans’ personal information from data breaches.”
“The Department of Veterans Affairs has informed the Committee on two data breach incidents in Texas in the last two weeks,” Buyer wrote in the letter dated May 12.
In one recent breach, a laptop belonging to a contractor working for the VA Department was stolen earlier this year and the personal data on hundreds of veterans stored on the computer was not encrypted, a violation of a VA IT policy, Buyer wrote.
According to the agency, there was no evidence that the data had been misused and that the stolen laptop would not be able to access VA records at this point.
The VA reported the theft of the laptop from an unidentified contractor to the committee on April 28 and informed its members that the computer contained personally identifiable information on 644 veterans, including data from some VA medical centers' records, according to the letter.
“Congress passed the Veterans Identity and Security Act of 2006, and it was hoped that [that] law would provide the VA with the tools with which to combat security flaws within the VA’s IT infrastructure,” Buyer wrote.
The law mandated annual security awareness training. Also during 2006 the VA issued VA Directive 6500, which details the steps by which the Department would provide compliance with system security measures, he noted. Additional measures followed in the fall of 2007 and later, but “even with those measures in place, on April 28, the Committee was notified of a stolen unencrypted laptop which had access to VA medical center data."
"The details of these breaches clearly indicate the VA lacks focus on its primary responsibility of protecting veterans’ personal information. It also shows that senior managers neglected their responsibilities, that there is no clear definition of responsibilities, nor a delineation of responsibilities.
“In short, there is a preponderance of evidence of a severely dysfunctional and broken procurement process in the Veterans Health Administration,” the letter said.
The HITECH Act, passed as part of the 2009 American Recovery and Reinvestment Act, requires individuals to be notified when their medical data is compromised. But VA has yet to inform the veterans whose data was stored on the stolen laptop, Buyer said.
In August 2009, the Health and Human Services Department published an interim data breach rule that requires healthcare organizations, including the Veterans Health Administration, to promptly notify individuals and the media of any data breach of 500 or more records.
In his letter, Buyer also asked Shinseki for a plan within 30 days to decrease and eventually eliminate the number of unencrypted devices that contractors use.
The House VA committee has scheduled a hearing for May 19 to discuss the department's information security.