Paper records account for most VA data breaches

The leading cause of data breaches at the Department of Veterans Affairs continues to be paper-based records, according to VA Acting Assistant Secretary for Information and Technology Stephen Warren.

Warren briefed reporters Aug. 8 on the data breach reports his agency submitted to Congress for April, May and June, and stated that while theft of electronic devices containing patient information is rare and "holding steady," upwards of 98 percent of data breaches continue to involve "physical paper."

Problematic paper records include documentation misplaced, mishandled or improperly mailed by agency employees – VA's data breach report over the three-month period suggests such mistakes happen hundreds of times per month. In many such cases, a veteran's claim – containing Social Security numbers, address, compensation and pension claim ratings – is exposed publicly or sent to the wrong veteran.

Warren said instances where veterans' information is not kept private are regrettable, but added that the error rate is actually low considering the VA's large number of patients – it sends out millions of packages per month and has "the best" error rate in the health care industry for mispackaging or mishandling. Patients that experience privacy issues are frequently offered credit protection services from VA.

"We are constantly reinforcing the fact" that health care matters, Warren said, emphasizing that every data breach report is investigated and analyzed. The VA's Data Breach Core Team, created in 2008, makes use of key players in several of the department's components to review monthly data breaches, assessing risk based on National Institute of Standards and Technology-developed standards.

Over the three-month period, no data breaches were classified as high risk, and most were rated as low risk.

Between April and June, VA reported six missing personal computers, 68 missing Blackberries and 27 missing laptops, three of which were unencrypted. Based on the reports, it does not appear that private information, with the potential exception of the names of some veterans, was compromised. The stolen or misplaced electronic devices did not have access to VA's network.

While VA has come under fire in the past for putting vets' data at risk electronically, Warren said the theft or disappearance of electronic devices is "holding steady" and remains low, despite 900,000 connected devices on its networks. He said people tend to steal laptops indiscriminately for their street value rather than in hopes of profiting from veterans' private information.

"People like laptops because you can sell them easily; folks are taking them for commodity of the things," Warren said. When it comes to electronic data breaches, he said, "we haven't really seen new trends."