backtop

Internet VA Suffers Even More Data Breaches
Michael Barkoviak - May 20, 2010 7:07 AM
Print 14 comment(s) - last by marvdmartian.. on May 24 at 11:50 AM
The Veterans Affairs department has suffered several data breaches

The Veterans Affairs Department has suffered yet another high-profile data breach, as the personal information of around 4,000 veterans was compromised in two separate incidents. Both data thefts were disclosed during a hearing led by Rep. Harry Mitchell, who is the House Veterans' Affairs subcommittee chairman. 

About 600 veterans were put at risk when VA contractor Heritage Health Solutions had an unencrypted notebook stolen after a thief broke into a vehicle, it was revealed during the meeting.  Days later, a medical lab in Texas had a log book taken that contained the personal information of 3,265 veterans, but other details weren't disclosed.

The Government Accountability Office (GAO) said the VA has attempted to increase security rules, but the contract between VA and Heritage Health Solutions didn't include mandatory data encryption.  Specifically, Rep. Steve Buyer (R-Ind) said 25 of 69 contracts have nothing in the contract related to encrypted data -- something that should have to change in the future, security experts said.

In late May 2006, thieves stole information on 26.5 million veterans, including Social Security numbers and birth dates, after the information was taken home without permission.  The missing laptop was recovered a month later, and two teenagers were arrested in August for the theft.  Since then, Congress has attempted to create new rules to hold the VA accountable for data thefts, though it's unknown what type of information security rules were implemented.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
so what was stolen?
By Alphafox78 on 5/20/10, Rating: 0
RE: so what was stolen?
By SlickRoenick on 5/20/2010 9:33:04 AM , Rating: 2
You aren't part of the majority there.


RE: so what was stolen?
By Alphafox78 on 5/20/2010 9:45:57 AM , Rating: 1
did you have a sex change or something? so someone sees you had your tonsils removed, big whoop.


RE: so what was stolen?
By MrBlastman on 5/20/2010 9:51:18 AM , Rating: 3
You'd be suprised what an insurance company will try to use against you when applying for a life insurance policy. Small things can mean hundreds of dollars in premiums.


RE: so what was stolen?
By Proxes on 5/20/2010 10:00:15 AM , Rating: 2
And life insurance companies don't have to steal your records to get that information. Either you release the records so they can have them or you don't get life insurance.

Then you have to do a recorded medical and lifestyle phone interview; so if anything happens they can use it against you in a court of law.


RE: so what was stolen?
By Lord 666 on 5/20/2010 10:15:44 AM , Rating: 2
Plus, when your insurance is verified, they use SS numbers to check against.

So theoritically, if someone has access to your EHR record, they have everything all nicely laid out for them to enable identity theft; dob, address, phone numbers, and ss.


RE: so what was stolen?
By MrBlastman on 5/20/2010 10:28:18 AM , Rating: 2
quote:
Either you release the records so they can have them or you don't get life insurance.


Not true. As it is now, they can require you to get a physical exam by a doctor or they can require you to submit answers to a questionnaire about your medical history. Of course, lying on the questionnaire is a felony (not worth the risk at all) but that does not stop people from doing so while hoping the insurance company doesn't know otherwise. If they somehow had access to your private records, they could then use them against you.

Not all insurance companies require the phone interview as a matter of fact.


How hard is it...
By MrBlastman on 5/20/2010 8:09:46 AM , Rating: 2
To encrypt laptops with sensitive information? Here's a hint: It isn't! My laptop is encrypted with PGP's portable encryption scheme--if anyone wants to use it, they first have to get past the PGP boot screen (before the OS is loaded) and enter the proper passphrase to proceed. If it fails, the computer won't boot. If they try to take the HD out and read it, good luck, total drive encryption.

The VA should try it too! Actually, _any_ company that has sensitive data floating around on a laptop should consider it. The fact is, employees will lose laptops or they will get stolen. They might not even do it intentionally, but, these things happen.

Total drive encryption is extremely cheap insurance and can save a company millions in PR expenses as well as client compensation for their information being compromised.




RE: How hard is it...
By Lord 666 on 5/20/2010 8:20:02 AM , Rating: 2
Does it require a TPM chip? What is the performance hit and are you using it with an Atom cpu?


RE: How hard is it...
By MrBlastman on 5/20/2010 9:10:11 AM , Rating: 2
No, it does not. It is PGP Desktop, Total Disk Encryption. As far as performance hit--not too bad at all actually, there is some by my CPU is pretty slow to begin with being a 1.6 GHz Pentium M. I bought the laptop back in 2005.


I wonder
By afkrotch on 5/20/2010 8:49:31 PM , Rating: 2
Makes me wonder if I can get the VA to wipe all the data they might have on me. Can't lose what they don't have.




RE: I wonder
By marvdmartian on 5/24/2010 11:50:06 AM , Rating: 2
Makes me glad I never contacted them, after I got out, to deal with any of the little medical things I could have had them take care of.

Of course, they have everyone's information for non-medical related things, like their home loan guarantee, etc, so I guess it doesn't matter much, eh?


Data loss
By Autisticgramma on 5/20/2010 11:20:43 AM , Rating: 2
I have interacted with the VA via different contractors. I found their network policies to be quite locked down, while I haven't been to every field office or VA hospital, every laptop I ever touched was equipped with full drive encryption.
I'm not sure what this contractor/contracting officer were/are thinking, but this is not a standard situation by any means. Regardless of the exact wording of the contract, there are multiple documents/directives that cover this and place responsibility directly with the owner of the equipment. This is a contractor failing in their DUTY of data protection. Contract needs to be terminated with prejudice.




Yet another SNAFU
By knutjb on 5/20/2010 6:45:04 PM , Rating: 2
For those who haven't dealt with the VA they are for the most part nice people who try to do their best. Unfortunately with the new Health Care Law this is just a glimpse of what all of you will get to experience.

I have received 5 or 6 letters from them telling me oops. A commercial entity typically has more motivation to protect such info because they are on the hook financially. Workers who cause such occurrences will likely be fired because of the great expense to the company.

Those in the government don't have those motivations because it is very hard to fire even the worst federal employee and most think we can't go bankrupt. We, the tax payer, are the ones who pay so the VA can give access to credit reports for all SSNs for a year.

Yes I know you can get one free, but that is only one and who knows when the thief well access it.




"I'd be pissed too, but you didn't have to go all Minority Report on his ass!" -- Jon Stewart on police raiding Gizmodo editor Jason Chen's home











botimage
Copyright 2012 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki