A dishonest IT specialist, lack of encryption and insufficient physical security controls may have contributed to the disappearance of a U.S. Department of Veterans Affairs (VA) external hard drive that contained the personal information of 1.8 million people, an Office of Inspector General (OIG) report has concluded.
The device, reported missing in February from the Birmingham VA Medical Center in Alabama, was initially said to contain about 48,000 personally identifiable records. But the IT specialist responsible for the hard drive provided inaccurate information, according to the report written by James O’Neill, assistant inspector general for investigations.
"After being confronted with the results of the OIG computer forensic analysis, he stated that he panicked and admitted deleting and encrypting the files in an attempt to hide the extent, magnitude and impact of the missing data," O’Neill wrote.
Given the IT specialist’s access rights, he posed a higher risk than was documented and therefore did not undergo as comprehensive a background check as he should have, the report said.
The external hard drive, used to back up research project data on the specialist’s computer, still has not turned up and there have been no substantive leads, officials said. None of the information has been used fraudulently.
The report also criticized the director of the VA hospital’s Research Enhancement Award Program department, where the IT specialist worked, for not mandating the deployment of encryption software, thereby violating organization policy.
The director, instead, "instituted a less reliable method of protection by depending on employees not to remove external hard drives from the office and to store them in a locked safe when not in use – measures which were not adequately monitored by managers to ensure employee compliance."
The director and managers frequently were not on site to "supervise and manage" the office, the report added.
Physical security controls also were lacking at the site, the report said. This included difficulties locking the main entrance because the door did not close properly.
The situation was aggravated by the office’s location "in an area noted in local media reports as requiring off-duty patrols in the evening because of panhandlers and substance abusers," according to the report.
Michael Kussman, the VA undersecretary for Health, agreed with the findings and recommendations, including taking administrative action against the employee and the director for the addressed shortfalls.
"I am unwavering in my commitment to learn from this incident and further improve data security controls and access," he said.
The incident occurred roughly 10 months after a laptop was stolen from the home of a VA employee, containing the records of more than 26.5 million veterans and active duty personnel. The resulting fallout led to the resignation of VA Chief Information Security Officer Pedro Cadenas in July after just three months on the job.
In an interview with Government Executive last summer, Cadenas criticized the agency for not letting him implement changes during his stint.
Click here to email reporter Dan Kaplan.