WASHINGTON (AP) – The Veterans Affairs data analyst who lost sensitive information on 26.5 million veterans showed poor judgment by taking the data home, but his supervisors are also to blame for lax policies, investigators said Tuesday.

The FBI has determined with a high degree of confidence that the sensitive files were neither compromised nor accessed, the VA announced. The bureau recently completed a full forensic analysis of the stolen laptop and external drive, which were recovered on June 29.

In a blistering report, Veterans Affairs inspector general George Opfer detailed a series of missteps, inadequate security measures and a general lack of concern in the events leading to the May 3 burglary at the data analyst’s suburban Maryland home.

Opfer found that the data analyst, whose name was being withheld, did not have permission to take the data home and had stored the data on his personal equipment for a project that he initiated and worked on at home on his own time.

However, a chain of the employee’s supervisors, leading up to Deputy Secretary Gordon Mansfield, unreasonably put veterans at risk by failing to publicize the May 3 burglary until nearly three weeks later, the report found. The laptop has since been recovered.

“At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher-level officials of the data loss reacted with indifference and little sense of urgency or responsibility,” the report stated.

It urged VA Secretary Jim Nicholson to take “whatever administrative action” deemed appropriate to punish the individuals involved and prevent future data losses. “More needs to be done,” it said.

In his written response, Nicholson acknowledged the information weaknesses and pledged to turn the department around. “All employees will be held accountable for safeguarding the private information entrusted to us by veterans and beneficiaries,” he said.

Lawmakers immediately called on Nicholson to take decisive action. In recent weeks, two of the data analyst’s supervisors, VA deputy assistant secretary Michael McLendon and Dennis Duffy, the acting head of the division in which the data analyst worked, have resigned or been put on administrative leave.

“The IG report released today on VA’s data theft reiterated what we learned in our recent hearings – weak information security policies and a lack of central authority over information management left the department vulnerable to massive breaches,” said Rep. Steve Buyer, R-Ind., chairman of the House Veterans Affairs Committee.

Rep. Lane Evans of Illinois, the top Democrat on the panel, said the secretary “should follow up with bold and decisive administrative action.”

The theft, which involved names, birth dates and Social Security numbers of veterans and active-duty troops, spread fear of identity theft in what had become the government’s worst information security breach.

According to the IG’s report, the data analyst had received permission to take veterans’ sensitive information home on a VA laptop since 2003. But in January, he turned in the government computer and began storing information on his personal laptop and external drive.

The employee, who had been praised in evaluations for outstanding work and for being “hardworking” and motivated, then began using the information for a work-related project on his own initiative without his supervisors’ knowledge.

“The loss of VA data was possible because the employee used extremely poor judgment when he decided to take personal information pertaining to millions of veterans out of the office and store it in his house without password protecting and encrypting the data,” the report stated.

After the theft, the data analyst immediately notified an information security officer. But in a series of delays, the officer waited two days to write a report, which was then submitted to McLendon, who asked for a rewrite of the report and waited several days before telling his supervisor, Duffy.

By May 10, deputy secretary Mansfield and chief of staff Thomas Bowman had been told but waited for a legal assessment before finally informing Nicholson on May 16. The public was notified on May 22.

“No one clearly identified it as a high-priority item and no one followed up,” the report stated.

The report recommended a clear, concise VA policy on safeguarding protected information; a VA-wide policy for contracts for services that requires access to protected information; and consistent criteria for reporting, investigating and tracking reports of data thefts.



On the Net:

A copy of the report can be found at: http://www.va.gov/oig/

AP-ES-07-11-06 1927EDT



Only subscribers are eligible to post comments. Please subscribe or to participate in the conversation. Here’s why.

Use the form below to reset your password. When you've submitted your account email, we will send an email with a reset code.