IG: Take 'Action' Against VA Managers Over Security Breach

The Inspector General's Office at the Department of Veterans Affairs has recommended that the department take "appropriate administrative action" against top managers, as well as an information technology specialist, at a VA medical center because of poor information security practices that led to the loss of an external hard drive containing personal information on veterans and medical providers, according to a report the IG office recently released.

In January, an unidentified IT specialist working at the Research Enhancement Award Program at the Birmingham, Ala., VA Medical Center reported a lost external hard drive, on which was stored personal information that included Social Security numbers and identifiable health information for as many as 535,000 veterans, and information from the Centers for Medicare & Medicaid Services, the Department of Health and Human Services, and from more than 1.3 million medical providers.

The IG concluded the IT specialist tried to cover up his actions during the investigation that immediately followed the loss of the hard drive. The IT specialist "encrypted and/or deleted multiple files from his computer shortly after he reported the data missing, making it more difficult to determine what was stored on his desktop computer," according to IG report. "Initially, he denied deleting and encrypting files to criminal investigators. However, after being confronted with the results of the OIG computer forensic analysis, he stated that he panicked and admitted deleting and encrypting the files in an attempt to hide the extent, magnitude, and impact of the missing data."

The IG also blamed the director and assistant director at the Research Enhancement Award Program for not developing appropriate policies for securing and handling data on external hard drives within the center and making sure those policies were properly followed. IT rules required specialists to encrypt all data on external hard drives, but that policy was not followed. In addition, external hard drives were supposed to be locked in a safe, but not all hard drives were stored in the safe and one IT specialist took home an unencrypted hard drive containing veterans' personal information.

The IG did not specify what the "appropriate administrative action" should be. The VA's undersecretary of health will decide what action the department will take.

Birmingham's VA medical center is not a unique situation when it comes to not encrypting hard drives or other removable storage devices. Only 33 percent of all organizations worldwide (private and public sector) encrypt stored data, according to CIO Magazine. Only 30 percent of government organizations worldwide encrypt stored data.

Hat tip: ComputerWorld