Weaknesses in the physical controls of laptops and other hardwareat U.S. Department of Veterans Affairs (VA) facilities has put the agency indanger of suffering another data breach, according to the Government AccountabilityOffice (GAO).
A GAO audit of physical controls at VAinstallations found more than 100 missing IT-related items, according to areport by government investigators released this week.
The VA suffered a massive data breach last May when a laptopwas stolen from the Aspen Hill, Va., home of a department employee. The incidentaffected 26.5 million veterans and active-duty members of the U.S. ArmedForces.
The theft of any one of 53 missing computers noted by theGAO could result in another breach, according to the agency.
“Our assessment found that a weak overall control environmentfor IT equipment at the four locations we audited posed a significant securityvulnerability to the nation’s veterans with regard to sensitive data maintainedon this equipment,” Valerie C. Melvin, director of human capital and managementinformation systems issues at the GAO, testified before the U.S. Senate Committee onVeterans Affairs on Wednesday. “Our statistical tests of physical inventorycontrols at the four locations identified a total of 123 missing IT equipmentitems, including 53 computers that could have stored sensitive data. The lackof user-level accountability and inaccurate records on status, location anditem descriptions make it difficult to determine the extent to which actualtheft, loss or misappropriation may have occurred without detection.”
Melvin said that GAO audits of four locations – medicalcenters in Washington, D.C.,Indianapolis and San Diego and VA headquarters – also turnedup personal information.
“Further, our limited tests of computer hard drives in theexcess property disposal process found hard drives at two of the four casestudy locations that contained personal information, including veterans’ namesand Social Security numbers,” reported the GAO.
A VA representative could not immediately be reached forcomment.
The GAO also took the VA to task for its failure to implementits IT security management structure recommendations.
As of this month, the VA has implemented two of 22recommendations made by its own inspector general, and two of four recommendationsfrom the GAO.
“Because these recommendations have not yet beenimplemented, the department will be at increased risk that personal informationof veterans and other individuals, such as medical providers, may be exposed todata tampering, fraud and inappropriate disclosure.”