X

Estimates on vets' data loss balloon

Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
See full bio
Anne Broache
2 min read

A portable hard drive that vanished from an Alabama veterans hospital late last month may have contained data on more than ten times as many veterans as previously suspected.

The U.S. Department of Veterans Affairs said it has discovered that a missing government-owned hard drive may have contained "sensitive VA-related information" on approximately 535,000 individuals. It was reported missing from the Birmingham VA Medical Center on January 22 and may have been stolen.

The department's investigation also determined that the missing drive may have housed information on approximately 1.3 million living and deceased non-VA physicians, according to a statement dated Feburary 10. That information is believed to be mostly publicly available but may contain some "sensitive" data, the department said.

Those numbers are far steeper than those initially reported by the office of Rep. Spencer Bachus (R-Ala.), whose district includes Birmingham. His office's early indication was that as many as 48,000 records may have been compromised, with as many as 20,000 of those not encrypted. A VA spokesman at the time could not confirm those figures because the investigation was ongoing.

In addition, the data housed on the device was not encrypted, and the employee who had possession of the drive has been put on administrative leave for violating the agency's security policies, the Associated Press reported Wednesday.

Although the department has no evidence that the data has been misused, VA Secretary Jim Nicholson said the agency planned this week to begin notifying individuals whose information may have resided on the drive. He said the department would also arrange for one year of free credit monitoring to anyone whose information was found to have been compromised.

The incident marks the third major data security bungle reported by VA officials in less than a year--most notable among them, the theft last May of equipment containing personal data on more than 26 million past and present military personnel. The latest episode is likely to spark a new round of questioning from a Congress already clamoring for new data breach regulations.