Printer Friendly Page

       

---------------

REPUBLICAN PRESS RELEASE

March 1, 2007

Foot dragging, culture of indifference cited at subcommittee hearing on VA data loss

Washington D.C. — On Wednesday, the House Committee on Veterans’ Affairs Subcommittee on Oversight and Investigations held a hearing on the January loss at the Birmingham, Ala., Department of Veterans Affairs (VA) medical center of data belonging to more than 500,000 veterans and 1.3 million non-VA health care providers. Subcommittee Ranking Member Ginny Brown-Waite (R-Fla.), criticized bureaucratic responses to subcommittee questions from VA officials, the Government Accountability Office and VA’s Office of the Inspector General.

"Last year the VA and Secretary Nicholson promised us that they were going to meet the “Gold Standard” of IT security in the U.S. government,” Brown-Waite said. “What I heard today was a lot of bureaucratic foot dragging, complicated flow chart proposals, and no real action on ensuring our veterans’ privacy is protected. It seems to me there is a lack of willpower to enforce IT security at the VA by top administrators, and a Paleolithic civil service hiring and firing system that lets employees who violate the data security guidelines keep their jobs. Either way, it’s high time we held someone accountable for these types of actions.”

On January 22, 2007, an employee of the VA hospital in Birmingham allegedly lost control of the sensitive data. The compromised information includes the names of non-VA health care providers who have ever billed Medicare or Medicaid. This information also includes their universal provider identification numbers and state medical license numbers, creating the potential for fraud. It is not known if the data was lost or stolen. This follows the massive breach last year at the VA that compromised the data of some 26.5 million veterans and 2.5 million active duty and family members.

“I was also astounded to hear that the VA does not have a plan in place, more than a month after the loss of data occurred, to notify the doctors and medical care providers whose data was compromised. These health care providers are the front line in helping meet the critical care needs of our nation’s health care consumers,” Brown-Waite said, noting that these providers may now be exposed to identity theft, and may have fraudulent claims and billings made in their names to Medicare and Medicaid.

“It is clear to me from this hearing that there is a culture at the VA that says, ‘do as you wish, not as the regulations say’. For far too long there have been serious IT breaches, with significant losses of personal data, and little change in the culture or administration,” Brown-Waite said. “I can tell you that this subcommittee is fed up with the foot dragging and will be taking further action to make positive changes within the VA.”

“Between 1998 and 2005, the General Accounting Office identified weaknesses in data security and made over 150 recommendations to the VA on implementing effective controls on information security,” said subcommittee member Cliff Stearns (R-Fla.). “The VA's own Office of the Inspector General has published reports on information security at the department annually, and I am concerned that the same 16 recommendations from fiscal year 2004 remain unaddressed. Three critical areas of concern were highlighted in the OIG’s latest report, concluding that the VA is vulnerable to disrupting virus attacks, disruption of mission-critical systems and unauthorized access to sensitive data.”

Stearns has called for VA to hold officials accountable for data security and VA officials pledged to tighten security in response to last year's security breach.

“The VA has the capability of storing encrypted data and to prevent unauthorized access though passwords, yet the data loss in Birmingham was not encrypted and stored on a vulnerable external drive,” Stearns said, calling for VA officials at the highest levels to commit to changing the VA culture that fails to secure personal information.

---------------

Larry Scott

Click here to make VA Watchdog dot Org your homepage