VA sets aside $20 million to handle latest data breach

The Veterans Affairs Department has set aside more than $20 million to respond to its latest data breach, the agency's top technology officer said Thursday.

The department does not expect to spend the full $20 million, but designated that much because the breach potentially puts the identities of nearly a million physicians and VA patients at risk, said Bob Howard, the department's chief information officer. Howard spoke at The E-Gov Institute's Government Health IT Conference and Exhibition in Washington.

"We have no evidence that [information is at risk]. None whatsoever, but we don't take the chance," Howard said. "The attitude of the VA right now is if we think we've put anybody's information at risk, then we need to step up to the plate and try to remedy that."

The breach occurred in January, when a hard drive went missing from a Birmingham, Ala., VA medical research facility. The drive contained highly sensitive information on nearly all U.S. physicians and medical data for more than a half million VA patients. Any physician who billed Medicaid and Medicare through 2004 could be affected.

The hard drive has not been recovered. The VA estimates that about half of the 1.3 million doctors whose information was on the hard drive, and 254,000 veterans, are potentially at risk. This group was notified by mail at the end of May. The letters noted that VA is providing credit monitoring services through a General Services Administration blanket purchase agreement from the multiple award schedules program.

The credit monitoring funds will come out of the VA's fiscal 2007 cybersecurity budget, but Congress included an extra $15 million in the recently passed emergency supplemental bill for funding the wars in Iraq and Afghanistan (H.R. 2206), Howard said.

Because the January data breach occurred in a medical research facility, the technology office tried to get health care-related funds reprogrammed to cover the credit monitoring, Howard noted, but the effort was unsuccessful.

"We were very worried about using cyber money that was needed to fix other things so they listened to us and helped us out [through the supplemental]," Howard said. "I'm spending my life in the protection of information. The fact of the matter is that it is a very important aspect to us."

Investigators are still trying to locate the hard drive and the FBI has offered a $25,000 reward for information leading to its return.

In May 2006, the VA shocked Congress, the veterans community and the military by announcing that a laptop computer containing personal data on 26.5 million veterans and active-duty military personnel had been stolen. This prompted multiple hearings and legislation intended to better protect the government's sensitive information.

Howard said the department's health care information system, known as VistA, has weaknesses since it was built at a time when the VA did not worry as much about security.

Department officials are looking at ways of speeding up the modernization of VistA, which is scheduled to take until at least 2015, Howard said. The update is intended to make the medical records stored on the system available worldwide via the Internet but at the same time protect security.

"We're not satisfied with the timeline we've laid out for VistA," Howard said. "We want to accelerate it, and it may take additional money, but we're not sure. The biggest concern we have is money. You don't want to just throw money at the problem unless you know what you're doing."

Currently the system is "facility centric," revolving around the department's 1,400 locations. With patients moving out of the Defense Department's health system and in and out of private health care systems, VA has to be able to access the medical information through a single portal from anywhere, Howard said.

The modernization of VistA is "enormously complex," since the system was "built internally over time by the officials who work with the requirements," Howard said. The modernization will be approached incrementally, rather than with a "big bang approach," he said.

"We are not there by any sense of the imagination," he said. "That's a tall order, but that's the vision that we're focused on and hopefully we can figure out how to do that at some point."

Howard said the fact the department is now working with the Defense Department to build a joint electronic health system has improved the prospects of securing resources from Congress to hasten the VistA upgrade.

In addition, the centralization of IT authority around the CIO's office has improved the VA's ability to implement the upgrade, Howard said.

"We've got it all now. We've got the people. We've got the money. The IT appropriation. But we've also got the problems," Howard said. "Centralization has already begun to help us get things done faster, improve standardization, improve compatibility -- all of the things that will help us modernize our electronic health records."

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Sponsored by Brocade

    Best of 2016 Federal Forum eBook

    Earlier this summer, Federal and tech industry leaders convened to talk security, machine learning, network modernization, DevOps, and much more at the 2016 Federal Forum. This eBook includes a useful summary highlighting the best content shared at the 2016 Federal Forum to help agencies modernize their network infrastructure.

  • Sponsored by CDW-G

    GBC Flash Poll Series: Merger & Acquisitions

    Download this GBC Flash Poll to learn more about federal perspectives on the impact of industry consolidation.

  • Sponsored by One Identity

    One Nation Under Guard: Securing User Identities Across State and Local Government

    In 2016, the government can expect even more sophisticated threats on the horizon, making it all the more imperative that agencies enforce proper identity and access management (IAM) practices. In order to better measure the current state of IAM at the state and local level, Government Business Council (GBC) conducted an in-depth research study of state and local employees.

  • Sponsored by Aquilent

    The Next Federal Evolution of Cloud

    This GBC report explains the evolution of cloud computing in federal government, and provides an outlook for the future of the cloud in government IT.

  • Sponsored by Aquilent

    A DevOps Roadmap for the Federal Government

    This GBC Report discusses how DevOps is steadily gaining traction among some of government's leading IT developers and agencies.

  • Sponsored by LTC Partners, administrators of the Federal Long Term Care Insurance Program

    Approaching the Brink of Federal Retirement

    Approximately 10,000 baby boomers are reaching retirement age per day, and a growing number of federal employees are preparing themselves for the next chapter of their lives. Learn how to tackle the challenges that today's workforce faces in laying the groundwork for a smooth and secure retirement.

  • Sponsored by Hewlett Packard Enterprise

    Cyber Defense 101: Arming the Next Generation of Government Employees

    Read this issue brief to learn about the sector's most potent challenges in the new cyber landscape and how government organizations are building a robust, threat-aware infrastructure

  • Sponsored by Aquilent

    GBC Issue Brief: Cultivating Digital Services in the Federal Landscape

    Read this GBC issue brief to learn more about the current state of digital services in the government, and how key players are pushing enhancements towards a user-centric approach.

  • Sponsored by CDW-G

    Joint Enterprise Licensing Agreements

    Read this eBook to learn how defense agencies can achieve savings and efficiencies with an Enterprise Software Agreement.

  • Sponsored by Cloudera

    Government Forum Content Library

    Get all the essential resources needed for effective technology strategies in the federal landscape.


When you download a report, your information may be shared with the underwriters of that document.