The employee took the electronic data without authorization, Veterans Affairs Secretary Jim Nicholson said. Sources said the employee, now placed on administrative leave, worked in the Policy and Planning Group at department headquarters and was performing a statistical analysis on the data as part of an annual department study on veteran population demographics.
The data also contained the names, dates of birth and some disability ratings for up to 26.5 million veterans and some of their spouses, according to a VA statement. The stolen data does not contain medical records, the department said, adding that the FBI and the department's inspector general have mounted investigations.
While the data does not appear to have been deliberately targeted in the theft, the VA is notifying all possibly affected veterans and setting up a special toll-free hotline, 1-800-333-4636. It has also set up a Web site.
VA is in the process of finalizing a contract with the General Services Administration for call-center operations to handle the toll-free calls, GSA spokeswoman M.J. Pizzella said. The department is preparing to spend up to $11 million on the contract, and call volumes could reach tens of thousands of calls per hour, a source said. Pizzella would not confirm those numbers.
The department could have avoided this had the employee followed departmental procedure, said Robert McFarland, who stepped down in April as VA assistant secretary for information and technology. Data removed from computer systems onto devices such as laptops should be encrypted, he said.
"If it was encrypted, then it's going to be useless to anybody, but [the department] doesn't say it was encrypted," he said. Sources said it's probable that the information had been kept in a legacy system that couldn't have been accessed online through a secure virtual private network connection, which is why the employee manually downloaded the data.
"There's a lot of old systems there," McFarland said.
This isn't the first time the department has run into trouble with misplaced veterans' data. In fall 2002, a VA medical center in Indianapolis sold and donated old computers without first wiping their hard drives clean. The new owners found medical information and credit card numbers on the discarded computers. Sen. Larry Craig, R-Idaho, chairman of the Senate Veterans' Affairs Committee, said he will hold hearings on the latest incident, and may not wait until the investigation is complete before looking into the matter. "It is a phenomenally loud wake-up call to our government as it relates to how sensitive information is handled," he told Government Executive. Rep. Steve Buyer, R-Ind., chairman of the House Veterans' Affairs Committee, released a statement saying his panel will likewise examine the incident, in "the context of previous data compromises." VA officials have ordered all employees to complete a cybersecurity awareness and a privacy training course by June 30. In addition, the department is conducting an inventory and review of all positions requiring access to sensitive information. Employees with such access will have to undergo an updated background check.