Veterans Ends Projects After Data Breach
WASHINGTON - Veterans Affairs Sec. Jim Nicholson has stopped activities at seven specialized research centers across the country after an unprotected computer hard drive disappeared from one of the facilities in Alabama last month.
In an internal memo obtained by The Associated Press, Nicholson called the department's latest data breach "tragic" and ordered the VA's Research Enhancement Award Programs to shut down until they are certified as meeting security standards.
The research centers focus on studies involving large amounts of data. The center in Birmingham, called the Deep South Center on Effectiveness, collects data for improving quality of care.
Writing to VA's top management on Thursday, Nicholson also said the department would begin unannounced inspections at VA sites nationwide.
"It is now clear to me that there are still too many VA employees, both in senior positions and elsewhere, who either still do not comprehend the seriousness of this issue, or who consciously disregard its seriousness," he wrote.
Nicholson has come under sharp criticism on Capitol Hill in the past year over a series of computer security failures that put sensitive personal information for millions of veterans at risk.
In the latest incident, a backup hard drive containing data such as Social Security numbers for up to 1.8 million veterans and physicians was reported missing Jan. 22 from a research site in Birmingham, Ala.
As a federal investigation proceeds, officials have remained tightlipped about the case. But in the letter, Nicholson wrote that the employee was a research assistant and the hard drive may have been stolen. The VA acknowledged earlier this week that the hard drive was not encrypted, a violation of the department's policy.
"This represents a failure of leadership in overseeing data security at Birmingham , a failure that may be widespread throughout our Department," Nicholson wrote.
VA officials have said the data on the missing hard drive, including for some 1.3 million non-VA physicians across the country, was being used for a study.
Similar sites are in Portland, Ore.; Denver, Colo.; East Orange, N.J.; San Francisco, Calif.; White River Junction, Vt.; and San Antonio, Texas.
VA spokesman Matt Burns confirmed the letter Friday. He said the security reviews would be expedited but that it is unclear how long the research would be interrupted.
"The benefits of any research must be weighed against the importance of protecting the information that's being used," he said.
The Birmingham disclosure comes after a string of similar incidents recently, including the theft last spring of data on 26.5 million veterans from a VA employee's home in Maryland.
In auditing the department's security procedures last year, federal investigators found weak management and lax rules.
Nicholson said in August the agency would upgrade its computers with encryption technology, making data unreadable for unauthorized users. The department also recently hired an outside firm to improve employee practices.
House Veterans Affairs Committee Chairman Bob Filner, D-Calif., said this week he plans to hold a hearing on the Birmingham incident later this month.
Rep. Artur Davis, a Birmingham Democrat, called Nicholson's actions "good steps" but said the memo underscores the need for legislation strengthening data requirements at government agencies.
On the Net:
VA's Research Enhancement Award Programs: