"These breaches clearly indicate the VA lacks focus on its primary responsibility of protecting veterans' personal information," Buyer said in his May 12 letter to VA Secretary Eric Shinseki. (JAMES J. LEE / STAFF)
The Veterans Affairs Department has notified lawmakers of two recent data breach incidents, according to a House committee aide. One breach was a contractor's laptop that was stolen on April 22 and contained unencrypted personal information on 616 veterans.
The second breach occurred this month and involved "thousands" of veterans' personal information at a VA facility, according to the congressional source familiar with the breach, who spoke on the condition of anonymity. Both incidents occurred in Texas.
VA chief information officer Roger Baker, however, said in a May 14 interview he was aware of only one breach involving the 616 veterans. He said Congress has not provided the VA with any information on a second incident.
The two incidents were revealed in a May 12 letter to VA Secretary Eric Shinseki from the top Republican on the House Veterans' Affairs Committee, Rep. Steve Buyer, R-Ind.
Buyer complained that these incidents occurred even after the VA took steps to better protect veterans' data in the wake of a massive 2006 data breach involving the personal information of 26.5 million veterans.
"These breaches clearly indicate the VA lacks focus on its primary responsibility of protecting veterans' personal information," Buyer said in his letter. "It also shows that senior managers have neglected their responsibilities, that there is no clear definition of responsibilities; nor a delineation of responsibilities.
"In short, there is a preponderance of evidence of a severely dysfunctional and broken procurement process in the Veterans Health Administration," he said.
The stolen unencrypted laptop belonged to a veteran-owned business that has 69 contracts with 13 of VA's healthcare networks, and 25 of the contracts do not include a clause requiring information to be encrypted, Buyer said.
The contractor in question had certified that its laptops were encrypted, as required by the VA following the 2006 breach, Baker said. Any penalty imposed on the contractor for violating the contract will adhere to federal contracting rules, Baker said. Penalties range from taking no action to disbarring the company.
Baker declined to identify the contractor, saying that could deter other contractors from voluntarily reporting such data breaches in the future. The contractor, which reported the incident to VA the day after it was stolen, provides short-term prescriptions to veterans until prescriptions can be fulfilled by VA's centralized prescription facility, he said.
The contractor may be called to testify at a House Veterans Affairs Committee hearing on the matter scheduled for May 19, the committee aide said.
Data contained on the stolen laptop, which has not been recovered, included names, Social Security numbers and prescription information of the affected veterans. All of the veterans were notified of the breach by May 10 and offered a year of free credit monitoring, Baker said.
After the 2006 incident, which is the largest data breach in government, VA said it would require all laptops containing sensitive information on veterans to be encrypted. However, 578 contractors have refused to sign encryption clauses, in violation of VA's policy, Buyer said.
Baker said the number of contractors that have refused to adhere to VA's IT policy is "less than 500" today, although VA doesn't know the precise number. He said the VA is in a tough position when deciding how to respond to a contractor that refuses to sign the policy since in some cases the contractor could be the only nursing home in a given area able to serve veterans.
"Each of these companies is important to us in providing health care to veterans," Baker said. "It's important that we don't take unilateral action."
Buyer has asked the VA general counsel to outline its legal opinion on whether these contractors can continue doing business with the VA.