The Security Scrutinizer with Howard Anderson

VA Providing Online Breach Reports

VA Providing Online Breach Reports

Since May, Roger Baker, assistant secretary for information and technology, has held monthly press briefings to go over basic statistics. Now, he's also posting on a website the breach statistics that he provides to Congress each month. That way, everyone can keep track.

The latest report posted to the site is for July 5 through Aug. 1. During that period, the VA had no breach incidents affecting more than 500 veterans. Such incidents have to be reported to the Department of Health and Human Services' Office for Civil Rights.

So if you've been looking for a VA scorecard on data breaches, now you've got one. 

But the office's list of major breaches already includes five recent VA incidents, as I noted in an earlier blog.

In addition to those breach cases, the VA is still rebounding from a huge 2006 incident when an analyst conducting research downloaded information on 26.5 million veterans and active duty personnel to his personal laptop, which later was stolen and recovered.

And back in March, the office of the VA inspector general announced it was investigating a potential breach involving a former employee's laptop with information on patients at the Atlanta VA Medical Center. That investigation is continuing.

At a contentious Congressional hearing,this spring, the department was called to task for the recent breaches reported to the HHS Office for Civil Rights. Plus, a report from the Government Accountability Office said the VA has "made limited progress in resolving long-standing deficiencies in securing its information and systems."

In the wake of that hearing and the GAO report, Baker started his media calls. Now he's taken the extra step of publicly posting breach information.

The monthly reports on the website provide anecdotes about various types of incidents. For example, in one "information mishandling" incident in July, the wrong veteran received a copy of an order for prosthetic equipment that included another patient's Social Security number.

Here's a sampling of statistics reported for July 5-Aug. 1:

  • Two missing/stolen PCs, down from six in June;
  • Six missing/stolen encrypted laptops, down from 16 laptops in June, five of them unencrypted;
  • 13 lost Blackberries, down from 24 in June;
  • 66 incidents of internal e-mails that were not encrypted, as required, down from 74 in June;
  • 90 information mishandling incidents, up from 86 in June;
  • 103 mismailing incidents (such as more than one letter stuffed in an envelope), down from 119 in June;
  • Three incidents involving errors in tracking IT inventory, down from eight in June.

So far, the website, which went live Aug. 11, also includes two quarterly statistical wrap-ups provided to Congress as well a press release about the latest of the five recent major healthcare breaches, this one involving a missing binder containing paper records at VA North Texas Healthcare System.

So if you've been looking for a VA scorecard on data breaches, now you've got one.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.