Review of Issues Related to the Loss of VA Information Involving the Identity of Millions of Veterans

Report Information

Issue Date
Closure Date
Report Number
06-02238-163
VISN
State
District of Columbia
District
VA Office
Policy and Planning
Report Author
Office of Investigations
Report Type
Administrative Investigation
Recommendations
6
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
The home of a VA employee was burglarized resulting in the theft of a personally-owned laptop computer and an external hard drive, which was reported to contain personal information on approximately 26 million veterans and United States military personnel. The VA Secretary was not informed of the incident until almost 2 weeks after the data was stolen, and The Congress and veterans were not notified until almost 1 week later. The Office of Inspector General (OIG) initiated this review and found that the employee was not authorized to take the VA data home; processing the notification of the stolen data was not appropriate or timely; the information security officials acted with indifference and little sense of urgency; policies and procedures do not adequately protect personal or proprietary data; and information security control weaknesses remain uncorrected.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 8/25/2016
Take whatever administrative action deemed appropriate concerning the individuals involved in the appropriate and untimely handling of the notification of stolen VA data.
No. 2
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 9/18/2007
Establish one clear, concise VA policy on safeguarding protected information when stored or not stored in VA automated systems, ensure policy is readily available, and employees held accountable.
No. 3
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 9/24/2008
Modify the mandatory Cyber Security and Privacy Awareness training to identify and provide a link to all applicable laws and VA policy.
No. 4
Closed and Implemented Recommendation Image, Checkmark
to Human Resources and Administration/Operations, Security, and Preparedness (HRA/OSP)
Closure Date: 6/22/2016
We recommend that the Secretary ensure that all position descriptions are evaluated and have proper sensitivity level designations, that there is consistency nationwide for positions that are similar in nature or have similar access to VA protected information and automated systems, and that all required background checks are completed in a timely manner.
No. 5
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 12/20/2007
Establish VA-wide policy for contracts for services that requires access to protected information, ensures contractor personnel held to same standards, and information is safeguarded.
No. 6
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
Closure Date: 9/7/2007
Establish VA policy and procedures that provide clear, consistent criteria for reporting, investigating, and tracking incidents of loss, theft, or potential disclosure of protected information.