In what is become a fairly familiar routine for them of late, the US Department of Veterans Affairs is investigating a potential data breach - the theft of three computers containing personal data on potentially 12,000 individuals.
Two PCs and one laptop containing that data were stolen from a medical facility in Indiana - ironically enough, on Veterans Day. The records belong to patients who were treated at the hospital and include Social Security numbers and other personally identifiable information.
"It appears from this most recent breach that there are still some in the Veterans Affairs, even some responsible for the security of such data, who don't realise the importance of the security of the names and data of our veterans," Congressman Steve Buyer said in a statement.
According to Buyer, Veterans Affairs notified his office of the breach late last week and are working on ascertaining the names and data of the people who might have been affected by the theft.
Buyer was the chairman of the House Veteran Affairs Committee last year and held 16 hearings on Veterans Affairs information technology with eight of them specifically on IT security. The hearings were designed to identity the issues that led to the loss of a laptop and hard disk containing personal data on over 26.5m veterans in May last year.
That incident led to a sweeping overhaul of the Veterans Affairs’ IT organisation and more direct power being bestowed on the office of the chief information officer to make needed security changes.
"It is inexcusable that the Veterans Affairs repeatedly fails to comply with its own policy to safeguard veterans' personal information," Buyer said, adding that the agency needed to provide full credit monitoring to all those affected in the latest breach.
The theft is the latest in a string of similar incidents that have occurred at the Veterans Affairs before and after the massive data breach in May 2006.
On 22 January 2007, an IT specialist at a Veterans Affairs medical centre in Alabama reported a missing hard disk containing personal data on over 250,000 veterans and an additional 1.3m medical providers.
In August of last year, at the height of uproar over the May breach, the Veterans Affairs disclosed that Unisys, a subcontractor hired to assist in insurance collections for Veterans Affairs medical centres reported a missing computer containing personal data on over 16,000 veterans.
During a Buyer hearing into the May 2006 breach, Veterans Affairs officials disclosed several other prior security incidents that had happened at the department, including the loss of a back-up tape containing legal and case related information on 16,500 veterans from Indianapolis . Also disclosed during the hearing was another breach, this one involving the loss of social security numbers and other personal data on 66 veterans; their data was compromised when a Veterans Affairs auditor put the papers with the data in the trunk of a rental car that was later stolen.