WASHINGTON - Veterans' personal data and health information remain at risk of identity theft because the Veterans Affairs Department has yet to implement several safety measures, government investigators said.
The report by the Government Accountability Office, released yesterday, comes more than one year after the VA pledged renewed security efforts after the loss of personal information for 26.5 million veterans and active-duty personnel. It found that the VA had not yet fully secured access to its computer network and department facilities nor worked to ensure that only authorized changes and updates to VA computer programs were made.
Moreover, the VA has operated without a chief information security officer since June 2006 to oversee changes, and still lacks clear procedures for quickly notifying veterans when their sensitive data is lost, the report said.
Responding, VA Deputy Secretary Gordon Mansfield said he generally agreed with the findings but insisted the VA's data security was "legally adequate." Many of the recommendations, which were proposed a year ago by the GAO and the VA inspector general, are in the process of being implemented, he said.
In May 2006, the VA stunned the veterans community when it announced that thieves had stolen a computer hard drive containing millions of names, Social Security numbers, and birth dates from a VA employee's Maryland home.
The hard drive was eventually recovered intact, but not until after the VA suffered blistering criticism from Congress for waiting more than two weeks to call in the FBI. VA Secretary Jim Nicholson, who wasn't immediately informed either, said he was outraged and pledged to make the VA the "gold standard" in data security.
"The security regimen at VA has been totally revised," Nicholson, who steps down Oct. 1, reported to Congress this week. "I believe that this reorganization, and the modification and strengthening of our regulations governing IT, its use, and its security will minimize the risk of a significant data loss in the future."
Yesterday, the Government Accountability Office said the VA had made progress by developing a plan to correct identified weaknesses in its information technology system. But significant gaps remain, it said, because responsibility for overseeing VA data security is split among several offices and no clear process exists for the officials to work together.