More than 3,800 veterans had their personal information compromised last month in two data breaches that have led to renewed criticism of the Veterans Affairs Department's data security.

On April 22, an unencrypted laptop belonging to VA contractor Heritage Health Solutions was stolen from a vehicle, compromising the records of more than 600 veterans, Rep. Harry Mitchell, chairman of the House Veterans' Affairs subcommittee on oversight, said at a hearing Wednesday.

And on April 24, a log book vanished from a medical lab that contained the records of 3,265 veterans.

Both incidents were related to VA facilities in Texas.

VA has made progress in the last four years on information security, but the recent breaches indicate that more needs to be done, lawmakers and representatives from the Government Accountability Office and the VA inspector general's office said at the hearing.

Securing veterans' data became a priority for VA in 2006 after 26.5 million veterans' data were lost when a VA employee's personal laptop was stolen.

VA has significantly shored up security on its employee-owned computers, said Gregory Wilshusen, GAO director of information security issues. However, contractors are a different story.

Heritage Health Solutions has 69 contracts with VA, and 25 of those don't have clauses requiring personal data to be encrypted, said Rep. Steve Buyer, R-Ind. A VA spokeswoman said 14 of Heritage's contracts involved VA facilities affected by the theft, and 12 of those had information-security clauses.

In November 2008, VA began requiring that security clauses be included in all contracts. But in February 2009, an internal review of 22,729 contracts found that 6,440 still did not have the clause. Of those, 578 contractors refused to sign the clause, and the situation has still not been resolved.

Additionally, the security clause's existence doesn't necessarily mean data are secure. Roger Baker, VA's chief information officer, said Heritage told VA it had taken required security measures — including encrypting data on laptops such as the one that was stolen — when it had not.

VA may terminate Heritage's contracts as punishment, said Jan Frye, the department's deputy assistant secretary for acquisition and logistics. Other options include: writing a negative performance review of the company and putting that into a federal database, or suing Heritage for damages in federal court, Frye said.

Baker praised Heritage for reporting the theft in a timely manner and fully cooperating in responding to the breach. VA said 654 veterans were affected by the laptop breach and were mailed credit-protection offers by May 10. The laptop has not been found, but no breach of the files has been detected and no further access is possible because the laptop's access codes have been deleted.

Heritage Health Solutions officials did not immediately return a phone call seeking comment.