A VA data breach may have put more than 4,000 veterans' personal information at risk, said Roger Baker, VA's chief information officer. (Thomas Brown / Staff file photo)
A Veterans Affairs Department data breach may have put at risk the personal information of more than 4,000 veterans, VA Chief Information Officer Roger Baker said Wednesday.
That is nearly twice the number of potentially affected vets VA said last week were eligible for credit monitoring because of the breach.
The information, including Social Security numbers, was posted on Ancestry.com last March and not discovered by VA until December, eight months later, when the daughter of a living veteran complained that personal information about her parent had been posted on the website, Baker said. The information was immediately taken off the website last month.
As of Wednesday, VA had confirmed that the personal information of at least 2,257 living veterans was mistakenly released to Ancestry.com as part of a response to a Freedom of Information Act request involving 14.7 million veteran records, Baker said. VA is reviewing about 2,000 additional names to determine if the individuals are deceased or living.
"It was a mistake on our part," Baker said.
"I am very concerned about the news that thousands of veterans' personal information has been compromised," said Rep. Joe Donnelly, D-Ind., in a statement to Federal Times on Monday. Donnelly is the ranking Democrat on the House Veterans Affairs subcommittee on oversight and investigations.
Ancestry.com had requested a complete copy of the VA database called the Beneficiary Identification and Records Location Subsystem Death File, which includes date-of-death information about veterans. The company's request sought personal information, including the name, Social Security number, date of birth and military branch assignments only for deceased veterans, not for living veterans.
Baker said some living veterans had been misidentified as deceased in the database. VA uses official reports from outside sources to confirm veterans' deaths, and "over the course of millions of records they can be wrong occasionally," Baker said.
Baker said in the future, VA will send internal notifications before processing large FOIA requests to ensure broader communication about what information is being released.
VA announced the mistake Jan. 20, and officials began contacting affected veterans on Jan. 18 as they identified which veterans are living. The department said veterans' benefits were not affected.
VA has offered free credit monitoring for one year to affected vets.