A Veterans Affairs Department claims examiner used a personal unencrypted thumb drive to store records on veterans that included Social Security numbers and then lost the drive. In another instance, a VA employee printed out records containing personal information on veterans and took them home. The two incidents, described by VA Chief Information Officer Roger Baker Wednesday in a monthly briefing on data breaches reported to Congress, indicate department employees still do not follow policies and procedures to safeguard information.
Baker said an employee at the regional Veterans Benefits Administration claims office in Nashville, Tenn., plugged an unencrypted thumb drive into his VA computer to store information as he worked. The data included files on 186 veterans and contained a range of sensitive personal information, including names, medical and financial records, dates of birth, addresses and Social Security numbers. VA policies prohibit the use of personal and unencrypted thumb drives on its computers.
A security guard found the drive somewhere in the office, took it home and asked his wife -- who held a Top Secret security clearance from her job -- to look at the drive. She recognized it contained sensitive information and told her husband to return it the next day.
Additionally, a VA health care employee in Honolulu printed out a list of 180 veterans, including their Social Security numbers, and took it home to have his wife help him develop a Word document from the list. Baker described this as a "stupid employee trick" that violated common sense as well as VA privacy and security policies.
Veterans Affairs discovered this breach when the employee tried to e-mail the completed Word document to his department e-mail account, which rejected it because the document contained Social Security numbers.
VA trains its 300,000-plus employees repeatedly to not engage in the type of actions that led to these breaches. Baker said the good news is last month most employees followed the rules.