In the largest breach of its kind in history, on May 3, 2006, a laptop was stolen from the home of a VA analyst in Aspen Hill, Maryland. It contained personal information, such as names, birth dates, and Social Security numbers, on 26.5 million veterans going back to 1975. Included were 1.1 million active duty personnel, 430,000 National Guard, and 645,000 reservists. The theft was not made public until 19 days later on May 22, 2006. Both the theft and the delay in announcing it left millions at risk of identity theft. James Nicholson the head of the VA (2005-2007) and former chairman of the Republican Party (1997-2000) stated initially, “a data analyst, took home a considerable amount of electronic data from the VA, which he was not authorized to do.” In fact, the analyst was authorized to take a laptop home and access veterans’ data. The question is why? The answer is the VA’s sloppy approach to security.
Following the posting of a $50,000 reward by Montgomery County, the laptop was recovered on June 28, 2006. Apparently, it had been resold on the street and when the new owner compared serial numbers and found out about the reward, it was quickly returned. On August 5, 2006, two 19 year olds were arrested for the theft. They said they did not know it contained the VA data until they read about it in the newspapers.
The cost of the theft? Various lawsuits by veterans. $25 million for the VA to set up a call center and send alerts to veterans about the theft and its potential risks. A request by Bush for an extra $160.5 million for free credit monitoring for veterans. And the cost to avoid this mess? Nothing but a little common sense.
Oh and then it happened again. On August 3, 2006, a VA contractor Unisys reported a computer had gone missing from its offices in Reston, Virginia. It contained information on up to 38,000 veterans treated in Philadelphia and Pittsburgh. According to the VA, the information included patients’ names, addresses, Social Security numbers, dates of birth, insurance carriers and billing information, dates of military service, and claims data that may include some medical information.
On August 14, 2006, VA head James Nicholson announced that all VA computers would receive encryption upgrades effective immediately.
You would think they would learn. On February 23, 2008 a laptop from the National Institutes of Health was stolen. It contained 7 years of clinical trial data on 2,500 patients, including names, birthdates, and medical reports. The data were not encrypted as they should have been. Acting responsibly, the appropriate review board was quickly notified on February 29, 2008 and it was immediately put on the agenda of the next meeting scheduled for March 4, 2008. Working at breakneck speed, the review board had a draft letter to patients ready by March 18. It took only two more days for board members to give it their final approval, nearly a month after the original theft. This is not so much closing the barndoor after the horse has bolted but more like doing it after the horse has died of old age. Government officials simply do not take the private information of American citizens seriously.