In a scathing report issued Tuesday, the inspector general’s office in the Department of Veterans Affairs blamed VA officials for acting “with indifference and little sense of urgency” to the May 3 burglary of a laptop containing the Social Security numbers of 26 million veterans.
The report, issued two weeks after the FBI recovered the laptop and determined that its data had not been accessed, criticized the employee who took the computer home, saying that he showed “extremely poor judgment” and that he downplayed any potential risk to veterans.
But the report also criticized VA employees up and down the line. “At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher-level officials of the data loss reacted with indifference and little sense of urgency or responsibility,” the report said.
As a result, 12 days after receiving the original incident report, the security officials “had made no meaningful progress in assessing the magnitude of the event,” according to the inspector general’s report, “and, ironically, had passed responsibility to gather information on the incident back” for review as a possible privacy issue.
VA Secretary Jim Nicholson, who told Congress he was “mad as hell” about his department’s handling of the incident, did not learn of the theft until 13 days after it occurred. “The delay in notifying the secretary was spent waiting for legal advice ... [and] can be attributed to a lack of urgency on the part of those requesting this advice,” the report said.
The unnamed employee, who has been fired, told investigators he was working on a “fascination project” to identify the 7,000 veterans who responded to the 2001 National Survey of Veterans and compare the accuracy of their answers with data on file.
After the burglary, the employee “was so flustered he decided not to discuss the matter,” according to the information security officer who interviewed him.
As the employee’s report of the theft traveled up the hierarchy, a series of bureaucratic tangles further thwarted its path. Deputy Assistant Secretary for Policy Michael H. McLendon, on learning of the theft two days after it occurred, decided to rewrite the report, saying it was inadequate and did not appropriately address the event. He submitted his report May 8.
McLendon’s revisions “were an attempt to mitigate the risk of misuse of the stolen data,” said the report, by pointing out the information was protected by software and “difficult to access.”
But that assertion was false, the inspector general’s report said, “because we were able to display and print portions of the formatted data without using the software program.”
McLendon’s supervisor, Dennis Duffy, acting assistant secretary for policy, planning and preparedness, sent the report to VA Chief of Staff Thomas G. Bowman on May 10 without determining “the magnitude of the stolen data” or even talking to the employee.
The report also faulted Nicholson, saying that despite his steps to increase the department’s computer security training and awareness, “more needs to be done to ensure protected information is adequately safeguarded.”
Nicholson agreed with the findings and promised that the VA would “become a gold standard and recognized leader in security of personal information.”
Democrats lashed out at Nicholson, a former chairman of the Republican National Committee. A senior member of the House Veterans’ Affairs Committee, Rep. Bob Filner of Chula Vista, criticized “the casual and incompetent handling of veterans’ personal information.” He added: “That it took so long for the news of the theft to reach the public is an indictment of departmental leadership.”