VA Investigator Blames IT Specialist, Lax Security For Major Data Loss

Investigators are saying the IT specialist who lost the external hard drive at the U.S. Department of Veterans Affairs failed to follow procedures that would have protected the data, and then he deleted and encrypted files to hide the extent of the data loss.

However, the VA's Office of Inspector General isn't stopping there with its criticism. James J. O'Neill, assistant inspector general for investigations, wrote in a report that managers did not follow security policies, failed to physically secure the building, gave the IT specialist too much access, and were not even physically present to oversee daily operations.

The VA, which has been plagued by lost computers in recent years, had earlier revealed that in late January an employee at the Birmingham, Ala., VA Medical Center reported an external hard drive missing. That drive, said the worker, may have contained veterans' personal files, some of which may have been stored on the drive in unencrypted form. The initial figures released to the public showed that 48,000 veterans' records were on the drive, and as many as 20,000 weren't encrypted.

Those numbers soon changed.

In February, The VA's Office of Inspector General announced it had determined that the lost data files may have included sensitive VA-related information on about 535,000 people. The investigation also has found that information on about 1.3 million non-VA physicians -- both living and dead -- could have been stored on the missing hard drive, as well. While VA officials say they believe most of the physician information is readily available to the public, some of the files may contain sensitive information.

The Inspector's report said the IT specialist, who was not named, delayed the investigation and accurate reporting of the extent of the loss.

The IT specialist encrypted and deleted multiple files from his computer shortly after he reported the data missing, making it more difficult to determine what was stored on his desktop computer, according to the report. "Initially, he denied deleting and encrypting files to criminal investigators," the report states. "However, after being confronted with the results of the OIG computer forensic analysis, he stated that he panicked and admitted deleting and encrypting the files in an attempt to hide the extent, magnitude, and impact of the missing data."

Leading up to the data loss, the IT specialist failed to password-protect files, and extracted identifiable patient information from records without authorization.

The report did not say how the hard drive was lost. It did, however, note that if policies had been followed in the VA's Birmingham, Ala. Office, where the breach occurred, the loss could have been avoided.

For instance, the inspector noted that a VA policy mandated that sensitive data stored on portable devices must be encrypted. However, the local administrator in Birmingham simply relied on workers not to remove the devices from the office and asked that they be locked in a safe when not in use.

"In fact, several employees elected not to store their external hard drives in the safe, and at least one employee took home an external hard drive that contained privacy protected information concerning VA employees," the report noted. "Also, there were no records of when the safe was accessed or whether its contents were inventoried and accounted for; access to the safe was not adequately limited; and once an employee opened the safe, that employee had access to all other employees' external hard drives."

The report also pointed out that administrators there gave the IT specialist access to more data than they should have. He also was given programmer-level access that allowed him to extract information from medical records. " In one instance, he inappropriately incorporated employee health records into a research database, compromising the privacy of VA employees and violating the terms of the protocol," the report stated.