For VA, all security is local

IG’s latest findings illustrate difficulty of assessing risk from data breaches

Administrative investigation: Loss of VA information, VA Medical Center, Birmingham, Ala.

When an external hard drive went missing from a Veterans Affairs Department medical center in Birmingham, Ala., earlier this year, the incident added to the notoriety that the department earned in May 2006, when a VA laptop PC containing the personal information of 26.5 million veterans and their families was stolen from a VA employee’s home.

The most recent incident revealed that enforcement of data security policies and procedures set by the agency’s headquarters is hit or miss at local offices, according to VA’s Office of Inspector General, which released an investigative report June 29.

The local data loss underscored a lack of governmentwide guidance on assessing the degree of risk to potential victims of data security incidents, the IG said. The loss also exposed a lack of guidelines for handing incidents in which lost or stolen data belongs to more than one agency. Without guidelines, agencies are likely to make inconsistent decisions about what protections to offer people whose personal data was compromised, the report states.

VA’s response to the Birmingham incident was to assume that the victims were at high risk of harm because of the incident. On that basis, VA offered the victims free credit monitoring, which is costing the government $20 million. The IG’s report made the point that “a very liberal use of high-risk levels can result in spending millions of dollars in taxpayer money needlessly.”

In January, an information technology specialist reported missing a VA-owned external hard drive from the Birmingham Medical Center’s Research Enhancement Award Program office. The employee had used the hard drive to back up research files, which contained personally identifiable information and health information on about 250,000 veterans and data from the Health and Human Services Department on 1.3 million medical providers.

The IG recommended that VA coordinate with the Office of Management and Budget and the President’s Identity Theft Task Force to develop governmentwide risk-analysis criteria to determine when potential identity theft victims of data loss should be notified and offered free credit monitoring.

In the absence of governmentwide criteria, VA or other agencies that lose personal data must determine whether the loss of a single personal identifier, such as a Social Security number, creates a risk of identity theft, said Robert Howard, the VA’s chief information officer, in a letter to the the IG’s office last month.

VA ultimately offered credit monitoring to 864,000 affected veterans, employees and health care providers whose SSN numbers were on the missing hard drive, Howard said. 

VA has not located the drive. It also has no evidence that the missing data has been used to commit fraud. 

The data loss was disheartening for the Veterans Health Administration, which oversees all VA hospitals, said Michael Kussman, VA’s undersecretary for health, in a written response to the IG report.

“The loss of information at the Birmingham Research Enhancement Award Program is a disturbing incident, given the Veterans Health Administration’s focus on data security over the past year,” Kussman said.
No hard-and-fast guidelines exist for assessing riskThe Veterans Affairs Department’s Office of Inspector General is not the first to ask the Office of Management and Budget for risk-assessment guidelines for handling incidents involving the  loss or theft of personal data.

The Government Accountability Office recommended in April that OMB develop risk-assessment guidelines to help federal agencies determine when to offer free credit monitoring after those  incidents.

Karen Evans, OMB’s administrator for e-government and information technology, said the agency  is looking into ways to supplement guidance it offered in 2006. “We released a high-level decision chart for agencies last year. It includes recommendations from the Identity Theft Task Force and a decision flowchart, she said.

“We plan to take a look at the flowchart and see how we can complement it,” Evans added. “We will figure out if there is anything we can offer and talk to the National Institute of Standards and Technology.”

Evans also said no single approach will fit all agencies. She said each agency must weigh the consequences of data security incidents and analyze what they need to accomplish.
— Jason Miller

The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.


  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group