Tuesday, August 08, 2006

Another VA Computer Gone Missing

According to a VA press release dated today, another VA computer has gone missing with the possibility that it contains medical information for 36,000 veterans.

According to the press release,

It is believed the desktop computer may have contained patients’ names, addresses, Social Security Numbers, dates of birth, insurance carriers and billing information, dates of military service, and claims data that may include some medical information.

. . .
Initial estimates indicate the desktop contained information on approximately 5,000 patients treated at Philadelphia, approximately 11,000 patients treated at Pittsburgh, and approximately 2,000 deceased patients. VA is also investigating the possibility the computer may have contained information on approximately another 20,000 people who received care through the Pittsburgh medical center.
The contractor in question is Unisys, apparently hired by the VA to assist in insurance collections for medical centers in Pittsburgh and Philadelphia.

I've read a dozen or so stories online this afternoon, but none of them do much more than rehash the press release or offer guesses as to what VA and/or Unisys was thinking (or not thinking). As this story fleshes out, I'd sure like to know why there was such a concentration of patient information on one computer in the first place. Thefts and misplacements happen, after all, despite the best policies and procedures, and concentrating that much data in one place - - with a justifiable business reason - - goes against standard risk management practices. Secondarily, I'd like to know why the data wasn't encrypted. The process is straightforward enough and for an organization like Unisys should be standard practice. Particularly when the file includes names, social security number, and date of birth.

As to VA's aspirations:

“VA is making progress to reform its information technology and cyber security procedures, but this report of a missing computer at a subcontractor’s secure building underscores the complexity of the work ahead as we establish VA as a leader in data and information security,” Nicholson added.

"Nicholson" is Honorable R. James Nicholson, Secretary of Veterans Affairs. Somehow, I don't think it is the "complexity" of the work that is really the issue.

UPDATE: Senator Harry Reid (D-NV) is calling for Nicholson's head. " Less than a month after promising to make the VA the 'gold standard' in data security, Secretary Nicholson has again presided over loss of personal information of thousands of veterans," Reid said in a Washington Post article. Opportunistic, but not an entirely unfair comment.



Post a Comment

Links to this post:

Create a Link

<< Home