An IT specialist at a US Department of Veterans Affairs (VA) medical centre in the US who in January lost an external hard drive containing sensitive data belonging to over 1.5 million people failed to take proper measures to protect the data.
The specialist also initially lied about the scope of the breach and attempted to delete or encrypt several files on his computer after reporting the loss of the hard drive to VA authorities.
Those are some of the findings of a report released by VA Inspector General George Opfer. The 79-page report also blamed the Birmingham facility for repeatedly failing to undertake procedures necessary for protecting the data.
Opfer's report was based on an investigation of the circumstances surrounding the disappearance of the external hard drive. The drive was used to back up data related to VA research projects and included personally identifiable information belonging to about 250,000 veterans and an additional 1.3 million medical providers. The IT specialist was assigned to the the Research Enhancement Award Program at the medical centre.
According to Opfer's report, the specialist maintained the data on his computer in a manner that violated the terms under which he was allowed to download and use the information. For instance, files containing sensitive data were not password-protected like they were supposed to be. Similarly, the files used in the research contained Social Security numbers — even though the specialist was not supposed to have extracted that information. Most of the files on the external hard drive were also not password-protected or encrypted, Opfer wrote.
After reporting the loss of the tape, the IT specialist tried to downplay its scope by providing inaccurate information on the number of records compromised. The specialist's attempts to delete and encrypt other information on his computer following the disclosure also made it difficult early on to determine the exact scope of the breach. As a result, the VA initially believed that only about 48,000 reports had been compromised by the loss of the disk.
"After being confronted with the results of the [Office of the Inspector General] computer forensic analysis, he stated that he panicked and admitted deleting and encrypting the files in an attempt to hide the extent, magnitude, and impact of the missing data," the report stated.
While recommending administrative action against the IT specialist, the Office of the Inspector General's report also blamed the US facility for its failure to ensure that proper safeguards were in use to protect against such compromises.
For instance, the IT specialist was not listed as being authorized by the medical centre to access some of the sensitive information he had in his possession. There were also no measures in place at that time for safeguarding data stored on external hard drives, Opfer noted. This was despite the fact that in August 2006, a policy had been announced prohibiting sensitive data on portable storage devices without encryption.
Even so, facility officials had not requested encryption software at the time of the incident. Instead, they depended "on employees not to remove external hard drives from the office and to store them in a locked safe when not in use — measures which were not adequately monitored by managers to ensure employee compliance", the report noted.
In his response, Robert Howard, VA CIO and assistant secretary for information and technology, concurred with Opfer's findings and said that steps are being taken to strengthen the security of sensitive data on removable storage devices. He also said measures are being established to ensure that only authorized individuals have access to sensitive data.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.