Security

Paper records account for most VA data breaches

Image of file folders

The leading cause of data breaches at the Department of Veterans Affairs continues to be paper-based records, according to VA Acting Assistant Secretary for Information and Technology Stephen Warren.

Warren briefed reporters Aug. 8 on the data breach reports his agency submitted to Congress for April, May and June, and stated that while theft of electronic devices containing patient information is rare and "holding steady," upwards of 98 percent of data breaches continue to involve "physical paper."

Problematic paper records include documentation misplaced, mishandled or improperly mailed by agency employees – VA's data breach report over the three-month period suggests such mistakes happen hundreds of times per month. In many such cases, a veteran's claim – containing Social Security numbers, address, compensation and pension claim ratings – is exposed publicly or sent to the wrong veteran.

Download

Read the VA's data breach reports

April

May

June

Warren said instances where veterans' information is not kept private are regrettable, but added that the error rate is actually low considering the VA's large number of patients – it sends out millions of packages per month and has "the best" error rate in the health care industry for mispackaging or mishandling. Patients that experience privacy issues are frequently offered credit protection services from VA.

"We are constantly reinforcing the fact" that health care matters, Warren said, emphasizing that every data breach report is investigated and analyzed. The VA's Data Breach Core Team, created in 2008, makes use of key players in several of the department's components to review monthly data breaches, assessing risk based on National Institute of Standards and Technology-developed standards.

Over the three-month period, no data breaches were classified as high risk, and most were rated as low risk.

Between April and June, VA reported six missing personal computers, 68 missing Blackberries and 27 missing laptops, three of which were unencrypted. Based on the reports, it does not appear that private information, with the potential exception of the names of some veterans, was compromised. The stolen or misplaced electronic devices did not have access to VA's network.

While VA has come under fire in the past for putting vets' data at risk electronically, Warren said the theft or disappearance of electronic devices is "holding steady" and remains low, despite 900,000 connected devices on its networks. He said people tend to steal laptops indiscriminately for their street value rather than in hopes of profiting from veterans' private information.

"People like laptops because you can sell them easily; folks are taking them for commodity of the things," Warren said. When it comes to electronic data breaches, he said, "we haven't really seen new trends."

Featured

Reader comments

Sat, Aug 10, 2013

The last comment is born of ignorance and lack of common sense! While Warren has fewer than a handful of supporters (his supporters are mostly the contractors he hires to document his desires and publish them as if they are their unbiased and undirected opinions), in this case he’s right. Unlike people stealing paper records for the folders that hold the paper, it’s commonly known that most people steal laptops for the laptop itself. And if people want a veteran’s information they’ll more than likely find a way to hack into one of the many databases that hold it all. So somebody may steal a laptop for the data on it, but in the vast majority of cases it’s for the hardware. Plus if they only wanted the thief would probably only take it long enough to get the data and return it so nobody is any the wiser. Please don’t add to the ridiculous paranoia that’s infecting VA and taking out focus away for treating patients. Try as you may the VA will never be the NSA or CIA, so take your Mission Impossible-type dreams of deep seeded spying and take it to an agency that’s about spying, we’re here to deliver medicine and benefits. I guess you’re basing your opinion on those spy novels that consume you until the wee hours of the morning (or your ISO brainwashing – I mean training). You sound almost as silly as Warren does when he tries to sell that he’s open minded and not leading with a huge chip on his shoulder.

Fri, Aug 9, 2013

Based on the June 4th hearing it really doesn't matter what VA, and Step Warren in particular, says about security or whether or not the breaches were high, moderate or low risk. Once you’ve been caught deceiving Congress, Veterans and the general public you forfeit your creditability. Still waiting on what the VA is going to do about the hacking and general penetration of the VA network. As a Vet I’ve yet to receive anything in the mail like the letter sent out in 2006. At some point offering free credit monitoring is a moot point.

Fri, Aug 9, 2013 curious_from_OIT OIT-org

{Steph Warren} "...said people tend to steal laptops indiscriminately for their street value rather than in hopes of profiting from veterans' private information. " I guess he's basing this statement on anecdotal evidence and personal supposition? Or empirical evidence gleaned from interviews with the thieves?

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above