WASHINGTON (AP) – Veterans Affairs Secretary Jim Nicholson accepted responsibility Thursday for the theft of personal information for 26.5 million military personnel and veterans.

But in doing so, Nicholson also told Congress that improving security measures won’t happen overnight.

“I am totally outraged as to this loss of this data and the fact that an employee will put veterans at risk,” Nicholson told the House Committee on Government Reform. “But it is my responsibility now to fix this. It is doable. It won’t be easy and it won’t be overnight because we will have to change the culture.”

He pledged several new initiatives to protect private information, saying he ordered that no personal laptop would be allowed to access the VA network after the May 3 theft at a VA data analyst’s home. About 35,000 VA employees who telecommute currently have some level access to the sensitive information on laptops.

“We remain hopeful this was a common random theft and that no use will be made of this data,” Nicholson said. “However, certainly we cannot count on that.”

That drew a stern response from Rep. Henry Waxman, D-Calif.

“Secretary Nicholson, you blame this on an employee who was fired, on a culture, on people doing what they’re not supposed to be doing,” Waxman said. “That doesn’t sound like we’re getting to the heart of this with passing the buck.”

Congress is trying to determine whether the VA took proper steps to guard against the unauthorized disclosure of personal information. In a March report card, the VA was one of eight departments given failing grades by the government reform committee for computer security practices.

Rep. Tom Davis, chairman of the committee, also said he wants to know why the VA is still trying to figure out what information was lost after the records were stolen from the data analyst’s Aspen Hill, Md., home on May 3. “The bond of trust owed to whose who served has been broken,” he said.

Earlier this week, Nicholson acknowledged that the stolen data – which was stored on the employee’s personal laptop – included personal information on about 2.2 million active-duty military, Guard and Reserve personnel. The agency originally said over the weekend that the number was 50,000.

Under questioning, Nicholson also said:

• Local police believe the burglars were not specifically targeting the sensitive data. Recent crimes in the area involved young thieves who stole computer equipment from homes, cleaned out the data and then sold them on college campuses and high schools.

• The VA will look after the best interest of veterans and military personnel should there be identity theft. But Nicholson would not say whether that would include financial compensation. “We have coordinated closely with the three major credit agencies to make available to every citizen a free credit check and credit alert.”

• The VA has determined that the breached information for 300 of the 26.5 million people included disability ratings. The annotations included notes such as whether a veteran had asthma or a herniated disk.

Veterans groups have criticized the VA for a three-week delay in publicizing the burglary. The VA initially disclosed the burglary May 22, saying it involved the names, birth dates and Social Security numbers – and in some cases, disability codes – of veterans discharged since 1975.

Since then, it has also acknowledged that phone numbers and addresses of many of those veterans also may have been included.

Rep. Chris Shays, R-Conn., said he was concerned that lax security practices might be widespread in several agencies, adding that there was no excuse for the VA breach.

“It is beyond stupid to take out sensitive documents,” he said.