GovernmentExecutive.com

The Veterans Affairs Department announced Tuesday that it has initiated the process of firing the data analyst who took home sensitive personal information on 26.5 million veterans, putting them at risk for identify theft when those records were stolen four weeks ago.

VA Secretary James Nicholson has said the unnamed data analyst violated department policy by taking home unencrypted records containing the names, Social Security numbers and dates of birth for veterans discharged since 1975 and those receiving VA disability compensation. According to VA officials, the career employee, who had worked at the agency for more than 30 years, had been taking sensitive data home since 2003.

In addition, the department is replacing the leadership of the division in which the data analyst worked.

Dennis Duffy, acting assistant secretary for policy and planning, was put on administrative leave and temporarily replaced by Paul Hutter, assistant general counsel for management and operations. Hutter will lead the VA's Policy and Planning Office while the Senate considers the recent nomination of Patrick W. Dunne for the assistant secretary job.

"In light of recent, unacceptable events within VA's Office of Policy and Planning, I have asked Paul Hutter to temporarily lead this section of our organization," Nicholson said. "Paul's experience, professionalism and leadership skills will be invaluable during this important transition period."

Also contributing to the shake-up, Michael H. McLendon, deputy assistant secretary for policy, resigned effective Friday, as a result of the data breach.

The theft of the data occurred May 3 when the home of the analyst was burglarized in what law enforcement authorities believe was a routine break-in. The employee was placed on administrative leave soon after agency officials were informed of the break-in.

According to an internal agency document dated May 5 and obtained by Government Executive from the House Veterans' Affairs Committee, telephone numbers and addresses were included for some of the veterans and a smaller database identified the names, dates of birth, service numbers and Social Security numbers of 6,744 veterans who had been exposed to chemical or biological agents.

The documents revealed that in addition to the employee's personal laptop computer and a USB hard drive, a flash memory stick and various CDs were among items taken from the home.

The memo stated that the critical data on the external hard drive would be difficult to access because it was stored in a specialized format that requires a certain software application and training to make it usable. The memo does not say that the data was encrypted.

According to VA officials, there have been no reports that the stolen data has been used for fraudulent purposes. The FBI, the VA inspector general's office and Montgomery County, Md., police, continue to investigate the incident and a $50,000 reward is being offered by the local police department for information that leads to the recovery of the records.

Rep. Bob Filner, D-Calif., acting ranking member of the House Veterans' Affairs Committee, has called for Nicholson to fire those responsible for the data compromise and then resign himself.

Senate Veterans' Affairs Committee Chairman Larry Craig, R-Idaho, said in a statement that he fully supports Nicholson's efforts to address the situation and he expects other changes to come.

"The bureaucracy has to get the message that in the 21st century, information moves at lightening speed and as a result, there must be systems in place to ensure that the data is extremely well-protected," Craig said.

On Wednesday, Nicholson named attorney Richard M. Romley as his special adviser for information security.

Romley, a former Arizona county attorney, a will report directly to Nicholson and will be responsible for evaluating the current state of VA's information security procedures and processes and for developing recommendations to improve its information security systems.

Nicholson said Romley is a well-respected attorney and veteran who will provide a critical outsider's perspective and shares a "commitment to cutting through bureaucracy to provide results for our nation's veterans."

COMMENTS

• All the analysts I know in VA are overworked. Taking work home has been encouraged and routine. This was a long-term, conscientious employee just trying to get his work done. VHA guidelines for treatment of private data on computers have been limited at best, and I have never seen any guideline pertaining to encrypting PHI on laptops until the last month. Perhaps they have existed, but VHA has done a poor job of keeping its employees aware of current directives and guidelines. If one looks at the last privacy and security training, there's nothing there that would have changed the outcome of this situation. Information management in VHA has been in perpetual disarray for years and this is one manifestation of it. Now there's a major top-down effort in VHA to catch up and fix its policies that should have been fixed years ago -- that should be indicative of where the fault really lies. Keep the scapegoat analyst and his boss and purge from the top of VHA. GovExec.com reader Posted June 19, 2006 4:50 PM
• Sure Mr. Taxpayer. You take a computer home to do work, it is stolen and you are fired for not having the proper encryption on the computer. How about if you have hardcopy of the materials and you accidentally lose the hardcopy on the train? How about if you are sending this copy electronically and you send it to the wrong address by mistake. Why don't we just fire every federal employee who has ever made a mistake? You didn't like my comment but if you were that employee you certainly wouldn't want to be fired for having a computer stolen with data that was not encrypted. Sure he violated policy. Every employee who takes an hour lunch on our government's half hour lunch policy violates that policy -- so what!!! Those who are with sins should never cast stones. We have all made mistakes but to kill employment for those mistakes rather than actually fix the mistakes is just plain wrong!!!! HR Specialist GovExec.com reader Posted June 8, 2006 2:22 PM
• I can't believe they are going to fire that poor guy!! For instance, one of our offices lost a fingerprint laptop ... did you hear about it in the news? No, because it's who is looking out for them!!! Like most of you said, everyone takes home work. I work in the employment office of the IRS. We are famous for taking work home. Every single GS 12/13/14/15 has a laptop. they download information from here and work at home (conveniently) on Fridays, Saturdays and even Sunday and get paid comp time. GovExec.com reader Posted June 5, 2006 2:38 PM