Active-duty personnel at risk from VA data breach
- By Mary Mosquera
- Jun 07, 2006
The Veterans Affairs Department said that personal information on as many as 1.1 million active-duty military personnel was included in electronic data that was taken in the burglary of the home of a VA data analyst in early May.
The number of active-duty personnel is more than VA first announced over the weekend as the department continues to determine the number of individuals and the extent of the information affected beyond the 26.5 million veterans that VA first reported
last month. The information contained individuals' names, dates of birth and Social Security numbers. Some names included additional personal information.
Initial findings from VA and the Defense Department indicated that the personal information on approximately 50,000 active duty, National Guard and Reserve personnel may have been involved. As the agencies compared electronic files, VA and DOD learned that personal information on as many as 1.1 million military members on active duty, 430,000 members of the National Guard and 645,000 members of the Reserves may have been included in the data theft.
VA receives the data because active-duty personnel and National Guardsmen and Reservists are eligible to receive certain VA benefits, such as GI Bill educational assistance and the home-loan guaranty program.
'VA remains committed to providing updates on this incident as new information is learned,' said VA secretary Jim Nicholson in a statement yesterday.
VA, which is working with DOD to notify all affected personnel, is in discussions with several entities regarding services to determine how veterans and active-duty personnel potentially affected can best be protected, Nicholson added.
The House Government Reform Committee plans a hearing tomorrow, and the House Veterans Affairs Committee next week, on data security problems at VA and across government. Rep. Lane Evans (D-Ill.) the ranking Democrat on the House Veterans' Affairs Committee, formally requested an independent investigation by the Government Accountability Office into VA's data breach; GAO officials also will testify at the two hearings.
VA 'has ignored or stonewalled' previous GAO IT recommendations, Evans said. 'The administration and VA leadership have been warned repeatedly since 2001 about potential information security problems,' he added.
Law enforcement agencies investigating the incident have no indication that the stolen information has been used to commit identity theft, according to VA.
Nicholson hired Richard Romley, former county attorney in Maricopa County, Ariz., to serve as special adviser for information security. He will focus only on information security and report directly to Nicholson.
Since first publicly reporting the record data theft, VA has taken disciplinary action against department employees. The agency fired the data analyst who took home sensitive data. He had authority to access the information but not to take it from the premises. Michael McLendon, deputy assistant secretary for policy, has resigned and Dennis Duffy, acting assistant secretary for policy, is on administrative leave.
VA said it has hired its own independent data forensic experts to analyze the original data to better determine what information was involved in the computer and data theft from the employee's home.
Five veterans organizations have filed a class action lawsuit in U.S. District Court for the District of Columbia seeking a judgment that the VA's loss of records violates federal privacy laws and an award of $1,000 for each veteran who can demonstrate harm by the VA's violation of the Privacy Act. The veterans groups also ask for a court-appointed panel of experts to determine how best to prevent any further data breaches.
Mary Mosquera is a reporter for Federal Computer Week.