Report on Veterans Affairs Data Breach Points to Wide Failures

The Veterans Affairs data analyst who lost sensitive information on 26.5 million veterans showed poor judgment by taking the data home, but his supervisors are also to blame for lax policies, investigators said Tuesday.

In a blistering report, Veterans Affairs inspector general George Opfer detailed a series of missteps, inadequate security measures and a general lack of concern leading to the May 3 burglary at the data analyst's suburban Maryland home.

Opfer found that the data analyst, whose name was being withheld, did not have permission to take the data home and had stored the data on his personal equipment for a self-described "fascination project" that he initiated and worked on at home on his own time.

However, a chain of the employee's supervisors, leading up to Deputy Secretary Gordon Mansfield, unreasonably put veterans at risk by failing to publicize the crime until nearly three week after the May 3 burglary, the report found. The laptop has since been recovered.

"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher-level officials of the data loss reacted with indifference and little sense of urgency or responsibility," the report stated.

It urged VA Secretary Jim Nicholson to take "whatever administrative action" deemed appropriate to punish the individuals involved and prevent future data losses. "More needs to be done," it said.