VA hit with two class-action suits over data theft

The Department of Veterans Affairs faces two class-action lawsuits related to the theft of information on 26.5 million veterans last month.

The Vietnam Veterans of America (VVA) and four other veterans groups have filed a class-action lawsuit against the VA seeking $1,000 in damages for each veteran who can show that he or she has been harmed by the data theft.

Last week, Paul Hackett, a Marine reservist from Cincinnati, Ohio, who served in Iraq, and Matthew Page, from Boone County, Ky., filed a class-action lawsuit against the VA in the U.S. District Court for the Eastern District of Kentucky. It, too, seeks $1,000 in damages for any veteran damaged by the data theft.

The VA disclosed yesterday that the stolen database also contains records and private information on 10,000 to 20,000 members of the National Guard and Reserves called to active duty and for 25,000 to 30,000 Navy personnel who completed their first enlistment before 1991.

The Consumer Coalition for Health Privacy asked the Department of Health and Human Services last week to conduct a privacy review of health data included in the stolen information, which contained records it believes are covered by the Health Insurance Portability and Accountability Act (HIPAA).

The VVA suit, filed in the U.S. District Court for the District of Columbia, also asks the court to prevent the VA from altering any of its data storage systems until a court-appointed panel of experts determines how to prevent future security breaches. The National Gulf War Resource Center, Radiated Veterans of America, Citizen Soldier, and Veterans for Peace joined VVA in its suit.

The Hackett/Page suit asks the Kentucky court to prohibit the VA from operating information systems without appropriate safeguards to ensure the privacy of veterans’ records.

It also requests that the VA take steps to head off possible identity theft by establishing an identity- and credit-monitoring program that would cover potentially all of the veterans whose information was stolen. The data was stored on a removable device attached to a laptop PC reported stolen from a VA data analyst’s home May 3.

“It is appalling to all veterans that their personal information -- information that is supposed to be held in confidence -- is potentially in the hands of individuals who can wreak identity-theft havoc,” said John Rowan, national president of VVA.

He added that he was perplexed about the amount of information the VA has collected on veterans who have never used the agency’s services and said VA Secretary Jim Nicholson has yet to answer some critical questions.

“What was an employee of the VA doing with the names, Social Security numbers and dates of birth of all these veterans, the vast majority of whom have never availed themselves of VA services?” he asked. “Why is the VA collecting this information in the first place?”

Besides personal identifiers such as Social Security numbers, the VA said the stolen database also contains medical diagnostic codes and medical disability ratings, which the Consumer Coalition for Health Privacy views as a potential violation of the privacy provisions of HIPAA.

The coalition asked HHS Secretary Mike Leavitt “to do everything he can to ensure the privacy and security of protected health and other highly sensitive information held by the VA,” said Paul Feldman, deputy director of the Health Privacy Project, in a statement.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.