VA sets aside $20 million to handle latest data breach

The Veterans Affairs Department has set aside more than $20 million to respond to its latest data breach, the agency's top technology officer said Thursday.

The department does not expect to spend the full $20 million, but designated that much because the breach potentially puts the identities of nearly a million physicians and VA patients at risk, said Bob Howard, the department's chief information officer. Howard spoke at The E-Gov Institute's Government Health IT Conference and Exhibition in Washington.

"We have no evidence that [information is at risk]. None whatsoever, but we don't take the chance," Howard said. "The attitude of the VA right now is if we think we've put anybody's information at risk, then we need to step up to the plate and try to remedy that."

The breach occurred in January, when a hard drive went missing from a Birmingham, Ala., VA medical research facility. The drive contained highly sensitive information on nearly all U.S. physicians and medical data for more than a half million VA patients. Any physician who billed Medicaid and Medicare through 2004 could be affected.

The hard drive has not been recovered. The VA estimates that about half of the 1.3 million doctors whose information was on the hard drive, and 254,000 veterans, are potentially at risk. This group was notified by mail at the end of May. The letters noted that VA is providing credit monitoring services through a General Services Administration blanket purchase agreement from the multiple award schedules program.

The credit monitoring funds will come out of the VA's fiscal 2007 cybersecurity budget, but Congress included an extra $15 million in the recently passed emergency supplemental bill for funding the wars in Iraq and Afghanistan (H.R. 2206), Howard said.

Because the January data breach occurred in a medical research facility, the technology office tried to get health care-related funds reprogrammed to cover the credit monitoring, Howard noted, but the effort was unsuccessful.

"We were very worried about using cyber money that was needed to fix other things so they listened to us and helped us out [through the supplemental]," Howard said. "I'm spending my life in the protection of information. The fact of the matter is that it is a very important aspect to us."

Investigators are still trying to locate the hard drive and the FBI has offered a $25,000 reward for information leading to its return.

In May 2006, the VA shocked Congress, the veterans community and the military by announcing that a laptop computer containing personal data on 26.5 million veterans and active-duty military personnel had been stolen. This prompted multiple hearings and legislation intended to better protect the government's sensitive information.

Howard said the department's health care information system, known as VistA, has weaknesses since it was built at a time when the VA did not worry as much about security.

Department officials are looking at ways of speeding up the modernization of VistA, which is scheduled to take until at least 2015, Howard said. The update is intended to make the medical records stored on the system available worldwide via the Internet but at the same time protect security.

"We're not satisfied with the timeline we've laid out for VistA," Howard said. "We want to accelerate it, and it may take additional money, but we're not sure. The biggest concern we have is money. You don't want to just throw money at the problem unless you know what you're doing."

Currently the system is "facility centric," revolving around the department's 1,400 locations. With patients moving out of the Defense Department's health system and in and out of private health care systems, VA has to be able to access the medical information through a single portal from anywhere, Howard said.

The modernization of VistA is "enormously complex," since the system was "built internally over time by the officials who work with the requirements," Howard said. The modernization will be approached incrementally, rather than with a "big bang approach," he said.

"We are not there by any sense of the imagination," he said. "That's a tall order, but that's the vision that we're focused on and hopefully we can figure out how to do that at some point."

Howard said the fact the department is now working with the Defense Department to build a joint electronic health system has improved the prospects of securing resources from Congress to hasten the VistA upgrade.

In addition, the centralization of IT authority around the CIO's office has improved the VA's ability to implement the upgrade, Howard said.

"We've got it all now. We've got the people. We've got the money. The IT appropriation. But we've also got the problems," Howard said. "Centralization has already begun to help us get things done faster, improve standardization, improve compatibility -- all of the things that will help us modernize our electronic health records."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by G Suite

    Cross-Agency Teamwork, Anytime and Anywhere

    Dan McCrae, director of IT service delivery division, National Oceanic and Atmospheric Administration (NOAA)

  • Data-Centric Security vs. Database-Level Security

    Database-level encryption had its origins in the 1990s and early 2000s in response to very basic risks which largely revolved around the theft of servers, backup tapes and other physical-layer assets. As noted in Verizon’s 2014, Data Breach Investigations Report (DBIR)1, threats today are far more advanced and dangerous.

  • Federal IT Applications: Assessing Government's Core Drivers

    In order to better understand the current state of external and internal-facing agency workplace applications, Government Business Council (GBC) and Riverbed undertook an in-depth research study of federal employees. Overall, survey findings indicate that federal IT applications still face a gamut of challenges with regard to quality, reliability, and performance management.

  • PIV- I And Multifactor Authentication: The Best Defense for Federal Government Contractors

    This white paper explores NIST SP 800-171 and why compliance is critical to federal government contractors, especially those that work with the Department of Defense, as well as how leveraging PIV-I credentialing with multifactor authentication can be used as a defense against cyberattacks

  • Toward A More Innovative Government

    This research study aims to understand how state and local leaders regard their agency’s innovation efforts and what they are doing to overcome the challenges they face in successfully implementing these efforts.

  • From Volume to Value: UK’s NHS Digital Provides U.S. Healthcare Agencies A Roadmap For Value-Based Payment Models

    The U.S. healthcare industry is rapidly moving away from traditional fee-for-service models and towards value-based purchasing that reimburses physicians for quality of care in place of frequency of care.

  • GBC Flash Poll: Is Your Agency Safe?

    Federal leaders weigh in on the state of information security


When you download a report, your information may be shared with the underwriters of that document.