GAO: VA at risk of another data breach

Weaknesses in the physical controls of laptops and other hardware at U.S. Department of Veterans Affairs (VA) facilities has put the agency in danger of suffering another data breach, according to the Government Accountability Office (GAO).

A GAO audit of physical controls at VA installations found more than 100 missing IT-related items, according to a report by government investigators released this week.

The VA suffered a massive data breach last May when a laptop was stolen from the Aspen Hill, Va., home of a department employee. The incident affected 26.5 million veterans and active-duty members of the U.S. Armed Forces.

The theft of any one of 53 missing computers noted by the GAO could result in another breach, according to the agency.

“Our assessment found that a weak overall control environment for IT equipment at the four locations we audited posed a significant security vulnerability to the nation's veterans with regard to sensitive data maintained on this equipment,” Valerie C. Melvin, director of human capital and management information systems issues at the GAO, testified before the U.S. Senate Committee on Veterans Affairs on Wednesday. “Our statistical tests of physical inventory controls at the four locations identified a total of 123 missing IT equipment items, including 53 computers that could have stored sensitive data. The lack of user-level accountability and inaccurate records on status, location and item descriptions make it difficult to determine the extent to which actual theft, loss or misappropriation may have occurred without detection.”

Melvin said that GAO audits of four locations - medical centers in Washington, D.C., Indianapolis and San Diego and VA headquarters - also turned up personal information.

“Further, our limited tests of computer hard drives in the excess property disposal process found hard drives at two of the four case study locations that contained personal information, including veterans' names and Social Security numbers,” reported the GAO.

A VA representative could not immediately be reached for comment.

The GAO also took the VA to task for its failure to implement its IT security management structure recommendations.

As of this month, the VA has implemented two of 22 recommendations made by its own inspector general, and two of four recommendations from the GAO.

“Because these recommendations have not yet been implemented, the department will be at increased risk that personal information of veterans and other individuals, such as medical providers, may be exposed to data tampering, fraud and inappropriate disclosure.”