Paper records account for most VA data breaches

Image of file folders

The leading cause of data breaches at the Department of Veterans Affairs continues to be paper-based records, according to VA Acting Assistant Secretary for Information and Technology Stephen Warren.

Warren briefed reporters Aug. 8 on the data breach reports his agency submitted to Congress for April, May and June, and stated that while theft of electronic devices containing patient information is rare and "holding steady," upwards of 98 percent of data breaches continue to involve "physical paper."

Problematic paper records include documentation misplaced, mishandled or improperly mailed by agency employees – VA's data breach report over the three-month period suggests such mistakes happen hundreds of times per month. In many such cases, a veteran's claim – containing Social Security numbers, address, compensation and pension claim ratings – is exposed publicly or sent to the wrong veteran.


Read the VA's data breach reports




Warren said instances where veterans' information is not kept private are regrettable, but added that the error rate is actually low considering the VA's large number of patients – it sends out millions of packages per month and has "the best" error rate in the health care industry for mispackaging or mishandling. Patients that experience privacy issues are frequently offered credit protection services from VA.

"We are constantly reinforcing the fact" that health care matters, Warren said, emphasizing that every data breach report is investigated and analyzed. The VA's Data Breach Core Team, created in 2008, makes use of key players in several of the department's components to review monthly data breaches, assessing risk based on National Institute of Standards and Technology-developed standards.

Over the three-month period, no data breaches were classified as high risk, and most were rated as low risk.

Between April and June, VA reported six missing personal computers, 68 missing Blackberries and 27 missing laptops, three of which were unencrypted. Based on the reports, it does not appear that private information, with the potential exception of the names of some veterans, was compromised. The stolen or misplaced electronic devices did not have access to VA's network.

While VA has come under fire in the past for putting vets' data at risk electronically, Warren said the theft or disappearance of electronic devices is "holding steady" and remains low, despite 900,000 connected devices on its networks. He said people tend to steal laptops indiscriminately for their street value rather than in hopes of profiting from veterans' private information.

"People like laptops because you can sell them easily; folks are taking them for commodity of the things," Warren said. When it comes to electronic data breaches, he said, "we haven't really seen new trends."

About the Author

Frank Konkel is a former staff writer for FCW.


  • 2018 Fed 100

    The 2018 Federal 100

    This year's Fed 100 winners show just how much committed and talented individuals can accomplish in federal IT. Read their profiles to learn more!

  • Census
    How tech can save money for 2020 census

    Trump campaign taps census question as a fund-raising tool

    A fundraising email for the Trump-Pence reelection campaign is trying to get supporters behind a controversial change to the census -- asking respondents whether or not they are U.S. citizens.

  • Cloud
    DOD cloud

    DOD's latest cloud moves leave plenty of questions

    Speculation is still swirling about the implications of the draft solicitation for JEDI -- and about why a separate agreement for cloud-migration services was scaled back so dramatically.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.