Report: VA treated data breach with ‘indifference’

Senior Veterans Affairs officials failed to understand the significance of the department's early May data breach and responded with "indifference and little sense of urgency," according to an inspector general report released Tuesday.

The report from VA Inspector General George Opfer reviews the circumstances surrounding the May 3 theft of a laptop computer and external hard drive from the home of a GS-14 data analyst who had worked at the department for 34 years. The equipment, which contained personal information on more than 26 million veterans, has since been recovered.

The IG found that while the data analyst was authorized to access and use the database, he did not have permission to take the data home and failed to encrypt it or protect it with a password. The employee's supervisors told the inspectors they were not aware he was working on the project at all, and said if they had been, they would not have allowed him to take the information home.

Department policies and procedures for protecting personal and proprietary data were not followed, though none of the policies prohibited the removal of protected information from the worksite, the report said. Information security weaknesses remain uncorrected, the IG added.

The report recommended that VA Secretary James Nicholson take whatever administrative action he deems appropriate against employees involved, establish a clear and concise policy on protecting sensitive information on and off agency systems and modify mandatory cybersecurity and privacy awareness training.

In response to the report, Nicholson said he has initiated four administrative investigations of the offices involved in both the breach and the response. He also said the agency has "embarked on a course of action to wholly improve its cyber and information security programs. The IG's report confirms that we must continue with our aggressive efforts to reform the current system."

House Veterans' Affairs Committee Chairman Steve Buyer, R-Ind., said in a statement that the report reiterates what was learned in a series of committee hearings, specifically that "weak information security policies and a lack of central authority over information management left the department vulnerable to massive breaches."

Rep. Lane Evans, D-Ill., ranking member of the committee, said that "utterly dysfunctional leadership" was one of a series of failures resulting in the data breach and Nicholson's next steps must include a review of why his managers and advisers "botched it and failed to report the matter to him."

In response to the data breach, House Government Reform Committee Chairman Tom Davis, R-Va., and the committee's ranking member, Rep. Henry Waxman, D-Calif., sent letters this week to all Cabinet agencies as well as the Office of Personnel Management and the Social Security Administration, asking for information on any "loss or compromise of sensitive personal information" since Jan. 1, 2003.