The Department of Veterans Affairs (VA) is again warning veterans their identity may be at risk following the theft of an unencrypted laptop from the agency’s New York Harbor Healthcare System.
The breach affects veterans who receive pulmonary care at the hospital, according to an Oct. 20 letter to veterans, released Wednesday by U.S. Rep. Carolyn Maloney, D-N.Y. The computer, stored in a locked room at the time of the theft, contained personal information, including names, Social Security numbers and diagnosis data, the letter said.
About 1,600 veterans were affected by the Sept. 6 theft, VA spokeswoman Jo Shuda told SCMagazine.com. She was unsure if the laptop was encrypted. Duplicate patient listings incorrectly placed the number of affected vetersans at 2,400 earlier in the day, according to VA officials.
"It is difficult to assess the possibility that your personal information could be accessed from this computer," the letter said. "However, given that personal information is on the computer, a credit monitoring service will be purchased for all veterans potentially impacted by this incident."
The laptop eventually was turned in to police, and authorities do not believe any sensitive data was accessed. Since then, the VA has mandated all laptops be encrypted and, earlier this week, confirmed former U.S. Army Maj. Gen. Bob Howard as the new assistant secretary for information and technology at the VA.
"VA will become the gold standard in government for securing information, and Bob Howard has the technical expertise and managerial skill to help us achieve that objective," VA Secretary Jim Nicholson said Monday in a statement.
Still, Maloney – who represents some victims of the most recent breach – said she is not satisfied with the VA's security response.
"The VA seems to be mishandling this situation at every step of the way," she said. "First they lost yet another computer, then they waited almost two months to tell the veterans that their identities might be at risk. When is the VA finally going to get serious about protecting veterans' personal data?"
In the New York case, the laptop was not encrypted because it is a medical device, Shuda said. However, 82 percent of non-medical laptops managed by the healthcare system have been encrypted, she said.
Click here to email reporter Dan Kaplan.