Security holes found in VA computer system

In a test of the security of Veterans' Affairs Department computers, the agency's Office of Inspector General was able to hack into the system and obtain total control of all veterans' benefit records, the assistant inspector general told a House subcommittee Thursday. "These weaknesses were so serious as to reveal information at the individual veteran level," said Michael Slachta, the assistant inspector general for auditing. The extent of the weaknesses forced the agency to acknowledge information security as a "material weakness" of the department, he said. Under questioning by Veterans' Affairs Oversight and Investigations Subcommittee Chairman Terry Everett, R-Ala., Slachta said that a contractor to the inspector general's office was able to get "into the backbone of the system" last year and obtain confidential financial and medical information about any of the 3.2 million veterans in the system. "When I read your report which you just summarized, I sat down and cried," Everett said. "I am really outraged by the Veterans' Administration's inexcusable failure to safeguard the confidential personal information in their computers, including medical information." Subcommittee ranking member Corrine Brown, D-Fla., also expressed her frustration. "If we don't see major improvement, the VA could be outsourced, it could be dismantled," she said. Speaking of the unnamed OIG contractor, Slachta said, "I would not call them sophisticated." The contractor obtained the ability to delete any veteran's record and to send themselves fraudulent payments. He said the OIG had uncovered three cases in which VA employees had used the computer system to pay themselves between $500,000 and $600,000 each. Slachta declined to specify the steps the contractor used to gain access to the Veterans Benefits Administration system, saying, "I don't want to set up challenges." Computer security officials at the Veterans' Affairs Department said they had been hamstrung by efforts to counteract the Y2K computer bug, and said they had taken steps to fix 14 of the 22 high priority recommendations identified by the OIG. "We are very concerned about veterans' records and their privacy issues, and having a chief security officer is the only way we are going to fix this," said Robert Bubniak, acting chief information officer at the department. But when Everett pressed, "How are you going to reassure us that hackers or authorized users have not intruded upon personal financial or medical information maintained by the VA," Bubniak responded, "I cannot, sir." House Majority Leader Richard Armey, R-Texas, used the hearing to slam Vice President Al Gore. "As the administration's point man on technology, the Vice President has failed to exercise leadership and protect the medical records entrusted to the federal government's care," said Armey. "How can this administration talk about protecting privacy when their own departments and agencies put some of our most private information at risk? This devastating report casts serious doubts about this administration's ability to protect the medical and financial privacy of America's veterans."