The Department of Veterans Affairs says a computer hard drive missing in Alabama since last month was not encrypted, the latest in an embarrassing series of data breaches sparking concern in Congress.
"The problems that we thought were fixed have not been fixed," said House Veterans Affairs Committee Chairman Bob Filner, D-Calif. "They have not secured the sensitive information of our veterans to our satisfaction."
Filner said he plans to hold oversight hearings later this month.
"Clearly they're doing a better job," he said. "But they have to do better faster."
VA officials began sending out letters Monday notifying an estimated 1.8 million people that private information such as Social Security numbers may have been compromised when an employee's unsecured hard drive went missing. The employee reported it missing Jan. 22.
The department initially thought the breach affected about 48,000 veterans. But on Sunday, the VA said as many as 535,000 veterans and 1.3 million non-VA physicians nationwide could be at risk.
As the FBI and the VA inspector general investigate, the VA has neither said whether the hard drive was stolen nor released the circumstances of its loss.
The Birmingham disclosure comes after a string of similar incidents recently, including the theft last spring of data on 26.5 million veterans from a VA employee's home in Maryland. The equipment was recovered and authorities determined its theft was part of a routine burglary and the data was probably not accessed.
But federal investigators later found weak management and lax rules at the agency, saying the VA routinely failed to monitor employee access to private information, did not restrict users to "need-to-know" data and often waited too long to terminate accounts when an employee quit or was fired.
After facing blistering criticism from Congress, VA Secretary Jim Nicholson said in August the agency would upgrade its computers with encryption technology, making data unreadable for unauthorized users. A department spokesman said last month the agency spent about $80 million in the last fiscal year on computer security.
The department also recently hired a defense contractor for a five-year contract, worth $2.3 million in the first year, to improve employee practices.
VA spokesman Matt Burns said Wednesday the Birmingham incident "clearly" involves a policy violation given that the hard drive wasn't encrypted. The employee has been placed on leave as the investigation proceeds, he said.
The department has a "very dedicated" work force of some 235,000 people, Burns said, but "changing the culture of a large bureaucracy is something that is going to take time."
"It is something we are committed to. It is something we will accomplish," he added.
In the meantime, Nicholson could again face difficult questions from Capitol Hill.
"The VA's response to the data breach situation in Birmingham was unacceptably and inappropriately slow," said Rep. Spencer Bachus, R-Ala., whose district includes parts of Birmingham.
Bachus said his mother received a VA letter Tuesday notifying her that Bachus' father's information could be at risk. "That is a full 23 days after the problem first came to light," he said.