WASHINGTON – Veterans' personal data and health information remain at risk of identity theft because the Veterans Affairs Department has yet to implement several safety measures, government investigators say.
The report by the Government Accountability Office, released Wednesday, comes more than one year after the VA pledged renewed security efforts after the loss of personal information for 26.5 million veterans and active-duty personnel.
It found that the VA had not yet fully secured access to its computer network and department facilities nor worked to ensure that only authorized changes and updates to VA computer programs were made.
Moreover, the VA has operated without a chief information security officer since June 2006 to oversee changes and still lacks clear and adequate procedures for quickly notifying veterans when their sensitive data is lost, the report said.
"Because these recommendations have not yet been implemented, unnecessary risk exists that the personal information of veterans and others, such as medical providers, will be exposed to data tampering, fraud and inappropriate disclosure," investigators said.
Responding, VA Deputy Secretary Gordon Mansfield said he generally agreed with the findings but insisted the VA's data security was "legally adequate." Many of the recommendations, which were proposed a year ago by the GAO and the VA inspector general, were in the process of being implemented, he said.
"VA has taken aggressive and proactive measures that are, or were at the time, above and beyond legal requirements, such as mandating encryption of sensitive data accessed remotely or used outside VA facilities," Mansfield wrote.
In May 2006, the VA stunned the veterans community when it announced that thieves had stolen a computer hard drive containing millions of names, Social Security numbers and birth dates from a VA employee's Maryland home.
The hard drive was eventually recovered intact, but not until after the VA suffered blistering criticism from Congress for waiting more than two weeks to call in the FBI. VA Secretary Jim Nicholson, who wasn't immediately informed either, said he was outraged and pledged to make the VA the "gold standard" in data security.
"The security regimen at VA has been totally revised," Nicholson, who steps down Oct. 1, reported to Congress this week. "I believe that this reorganization, and the modification and strengthening of our regulations governing IT, its use, and its security will minimize the risk of a significant data loss in the future."
On Wednesday, the GAO said the VA had made progress by developing a plan to correct identified weaknesses in its information technology system, requiring security and privacy training for VA employees, and providing regular reports to the VA secretary.
But significant gaps remain because responsibility for overseeing VA data security is split among several offices and no clear process exists for the officials to work together.
The GAO cited in particular last January's threat of identity theft for 1.8 million veterans and physicians after a backup hard drive with their Social Security numbers went missing from a research site in Birmingham, Ala.
Medical providers involved in the incident were not notified until 85 days after the data loss because the VA did not have clear plans in place for coordinating with other agencies, which in this case was the Department of Health and Human Services.
"Until VA addresses recommendations to resolve identified weaknesses, it will have limited assurance that it can adequately protect its systems and information," the GAO said.