The Veterans Affairs Department will now require encryption for portable storage devices used internally effective in December because of a data breach at its medical center in Birmingham, Ala., earlier this year. VA already requires the use of encrypted flash drives, hard drives and other removable devices when employees have permission to take personally identifiable data off site.
Now the agency will coordinate with the Office of Management and Budget and the President’s Identity Theft Task Force to develop governmentwide criteria for determining under what conditions potential identity theft victims should be notified and offered free credit monitoring, said Robert Howard, VA’s chief information officer, in a letter to the agency’s Office of Inspector General in late June.
Howard detailed actions his office was taking in response to the IG’s investigation of the data breach. Until then, VA will continue to determine on a case-by-case basis whether the loss of a single personal identifier, such as a Social Security number, constitutes a risk for identity theft and credit monitoring.
On Jan. 22, an information technology specialist reported that a VA-owned external hard drive he had been using was missing from the Birmingham VA Medical Center’s Research Enhancement Award Program office.
The missing hard drive contained backup data from the employee’s desktop computer and other data he was working on from a shared network. The files likely contained personally identifiable information and health information on 250,000 veterans. The drive also most likely contained information from the Health and Human Services Department on 1.3 million medical providers.
VA offered credit monitoring to 864,000 affected veterans, employees and health care providers whose full Social Security numbers might be at risk to proactively protect them from possible identity theft, Howard said.
To date, the department has not located the missing hard drive, but there is no indication that the data contained on it has been further compromised or used to commit fraud. The criminal investigation by the FBI and VA’s IG remains open.
The actions of the IT specialist initially impeded the investigation. He told investigators that he had deleted multiple files; emptied his computer recycle bin, which removed information about the deleted files; and password-protected two of the files to try to hide the extent and magnitude of the missing data, an IG report states.
The data loss underscores the lack of governmentwide guidance and criteria on how to assess the vulnerability of data. Without guidance, agencies are likely to make inconsistent decisions about what protections to offer affected individuals.
Digg
De.licio.us
Slashdot
Technorati
