It took five months and a 79-page report to do it, but the Department of Veterans Affairs has finally pointed its finger for a high-profile data breach.
The VA’s Office of the Inspector General blames the IT specialist and two directors at the Birmingham, Alabama VA Medical Center for the January loss of an external hard drive that contained confidential information on 250,000 veterans and 1.3 million medical providers. Its report, issued late last week, says the director and associate director of the Birmingham center’s Research Enhancement Award Program (REAP) did not enforce policies that were in place to protect sensitive data, and they improperly allowed the IT specialist access to confidential information. The report also slams the IT specialist for not safeguarding the personal information and for not cooperating with the initial investigation into the missing hard drive.
Among the findings in the report:
- The IT specialist provided inaccurate information to investigators looking into the hard drive’s disappearance.
- Data loss is a “systemic problem throughout the government.”
- A policy that prohibits the storage of unencrypted sensitive data on portable devices was ignored.
- The IT specialist was granted access to information to which he was not entitled.
- The REAP director and associate director had their VA email automatically forwarded to external accounts, in violation of policy.
Assistant Inspector General James O’Neill, who wrote the report, recommends taking “appropriate action” against the IT specialist, the REAP director and associate director, as well as the the medical center director and another administrator, for their roles in the incident. The report came out one day after SearchSecurityChannel.com posted this story on channel opportunities in government security, “Government computer security upgrades bring more channel work.”