VA: Data for 38,000 veterans missing
Latest security breach could put vets at risk of identity theft

Monday, August 7, 2006; Posted: 8:17 p.m. EDT (00:17 GMT)
http://www.cnn.com/2006/US/08/07/vets.data.ap/index.html

Secretary Jim Nicholson says the VA doesn't know what happened to the computer.

WASHINGTON (AP) -- As many as 38,000 veterans may be at risk of identity theft because a Veterans Affairs Department subcontractor lost a desktop computer containing their sensitive personal data.

VA Secretary Jim Nicholson said that Unisys Corp., a subcontractor hired to assist in insurance collections for VA medical centers in Philadelphia and Pittsburgh, Pennsylvania, reported the missing computer last Thursday. The computer was being used in Unisys offices in Reston, Virginia.

It is not yet known what happened to the computer, Nicholson said, adding that local and federal authorities are investigating.

The computer is believed to contain names, addresses, Social Security numbers, dates of birth, insurance carriers and claims data including medical information for veterans who received care at the hospitals in Philadelphia and Pittsburgh during the past four years.

According to initial estimates, the data covered about 5,000 patients treated at Philadelphia, 11,000 treated at Pittsburgh and 2,000 deceased patients. The VA is investigating whether the information also may have covered 20,000 who received care through the Pittsburgh medical center.

Ted Davies, a managing partner at Unisys, said a company employee who regularly used the desktop computer reported it missing July 31. Company officials then scoured the building three times and sought to determine what data was lost before reporting it to the VA last Thursday.

The computer was located in a building with security guards and on a floor where security cards are required for access, and there were no signs of break-in, he said. The computer was password protected, but the data was not encrypted.

"This is a high priority for our company to determine what happened," Davies said.

String of data breaches
The disclosure comes after a string of recent data breaches at the VA, including the May 3 theft of 26.5 million veterans' personal data from a VA employee's home in suburban Maryland. The laptop and external drive containing that information has since been recovered, and two teens were arrested Saturday as part of what appeared to be a routine burglary.

In recent weeks, the VA has also acknowledged losing sensitive data for more than 16,000 veterans in at least two other cases in Minneapolis, Minnesota, and Indianapolis, Indiana.

Nicholson said in a statement Monday that the VA was working with Unisys to notify those veterans affected and to provide credit monitoring if appropriate.

"VA is making progress to reform its information technology and cyber security procedures, but this report of a missing computer at a subcontractor's secure building underscores the complexity of the work ahead," Nicholson said.

Lawmakers were critical of the VA. Rep. Lane Evans of Illinois, the top Democrat on the House Veterans' Affairs Committee, called the latest data breach "yet another wake-up call."

"Today's announcement by the VA that sensitive personal information of veterans was compromised by a VA subcontractor last week confirms that the VA must move quickly to protect the information it maintains on veterans and their families," Evans said.

"I am absolutely appalled that another computer containing the personal information of veterans has gone missing," said Sen. Rick Santorum, a Pennsylvania Republican. "Those responsible must be held accountable, and the VA clearly needs to do a better job of overseeing its contracting entities."