VA Providing Online Breach Reports
The Department of Veterans Affairs has taken another step toward being more transparent about data breaches at its healthcare and other units.
Since May, Roger Baker, assistant secretary for information and technology, has held monthly press briefings to go over basic statistics. Now, he's also posting on a website the breach statistics that he provides to Congress each month. That way, everyone can keep track.
The latest report posted to the site is for July 5 through Aug. 1. During that period, the VA had no breach incidents affecting more than 500 veterans. Such incidents have to be reported to the Department of Health and Human Services' Office for Civil Rights.
But the office's list of major breaches already includes five recent VA incidents, as I noted in an earlier blog.
In addition to those breach cases, the VA is still rebounding from a huge 2006 incident when an analyst conducting research downloaded information on 26.5 million veterans and active duty personnel to his personal laptop, which later was stolen and recovered.
And back in March, the office of the VA inspector general announced it was investigating a potential breach involving a former employee's laptop with information on patients at the Atlanta VA Medical Center. That investigation is continuing.
At a contentious Congressional hearing,this spring, the department was called to task for the recent breaches reported to the HHS Office for Civil Rights. Plus, a report from the Government Accountability Office said the VA has "made limited progress in resolving long-standing deficiencies in securing its information and systems."
In the wake of that hearing and the GAO report, Baker started his media calls. Now he's taken the extra step of publicly posting breach information.
The monthly reports on the website provide anecdotes about various types of incidents. For example, in one "information mishandling" incident in July, the wrong veteran received a copy of an order for prosthetic equipment that included another patient's Social Security number.
Here's a sampling of statistics reported for July 5-Aug. 1:
- Two missing/stolen PCs, down from six in June;
- Six missing/stolen encrypted laptops, down from 16 laptops in June, five of them unencrypted;
- 13 lost Blackberries, down from 24 in June;
- 66 incidents of internal e-mails that were not encrypted, as required, down from 74 in June;
- 90 information mishandling incidents, up from 86 in June;
- 103 mismailing incidents (such as more than one letter stuffed in an envelope), down from 119 in June;
- Three incidents involving errors in tracking IT inventory, down from eight in June.
So far, the website, which went live Aug. 11, also includes two quarterly statistical wrap-ups provided to Congress as well a press release about the latest of the five recent major healthcare breaches, this one involving a missing binder containing paper records at VA North Texas Healthcare System.
So if you've been looking for a VA scorecard on data breaches, now you've got one.