Latest breach at VA has Congress asking more questions

The latest data breach at the Department of Veterans Affairs -- this one exposing thousands of veterans' personally identifiable information in a mid-January software glitch -- has Congress again questioning the agency about its IT security practices.

The Jan. 15 breach occurred when a bungled software update to VA's eBenefits system exposed at least 5,300 veterans' medical and financial information to the public, prompting House Veterans Affairs Committee Chairman Jeff Miller (R-Fla.) to seek answers from VA Secretary Eric Shinseki on Jan. 24.

Miller's letter requests detailed answers to 18 questions regarding the breach by Jan. 31. VA officials have attributed the mishap to a "software defect."

Miller's questions include how VA "identified and addressed the eBenefits 'software defect,'" whether anyone was penalized for failing for safeguard veterans personally identifiable information and how VA expects to prevent similar "software defects" from occurring in the future.

"Unfortunately, these types of breaches continue to occur on a regular basis at the VA despite VA's multiple assurances that its systems are secure," Miller stated. "The agency's information systems, including the eBenefits portal, continue to be afflicted by persistent information security weaknesses. Recognizing the importance of securing veterans' personal information, and minimizing the risk of serious consequences such as identity theft or other fraudulent activity, the Committee expects VA to take all steps necessary to strength security and privacy of the eBenefits portal."

Miller's letter is the tenth formal request for information from the Veterans Affairs Committee or one of its subcommittees since Oct. 22 regarding VA IT security procedures. VA's only response thus far was a preliminary answer to the committee's Oct. 22 letter, but the response from CIO Stephen Warren did not "sufficiently answer" all the questions posed in that inquiry, according to a Capitol Hill source.

Since June 2012, VA has 111 outstanding requests for information from Congress, including the eight made in October and November following revelations of multiple data breaches compromising VA networks since 2010.

Those inquiries were due in early November and are more than two months overdue, despite the VA Office of Information Technology allocating significant resources to responding to them. While VA's status regarding IT security is not clear, what is clear at the moment is that members Congress are growing increasingly frustrated with VA's delays. Miller has already taken to writing weekly letters to Shinseki calling for information -- an unprecedented step for the committee.

"The leisurely pace with which VA is returning requests -- and in some cases not returning them -- is a major impediment to the basic oversight responsibilities of the committee," a Capitol Hill official with knowledge of the inquiries told FCW on Jan. 14.

VA did not respond to FCW's requests for comment.