When News3 in Madison, Wisconsin started digging into a breach involving 637 veterans’ Social Security numbers, what they found should have everyone asking the VA some hard questions. Adam Schrager reports:
The Social Security numbers of Wisconsin veterans are being sent via email without encryption despite numerous federal laws and U.S. Department of Veterans Affairs regulations requiring personally identifiable information be password-protected.
It partly explains how a random Wisconsin veteran received an unsolicited email on April 1 with the Social Security numbers and disability claim information of hundreds of Wisconsin veterans. Since the Vietnam War, veterans’ file numbers or disability claim numbers have been their Social Security numbers.
A Wisconsin Department of Veterans Affairs spokesperson said the software program, Ironport, which is used by the federal VA, intentionally does not flag nine-digit numbers without dashes because of the concern that there would be too “many false positives.” She said nine-digit number sequences where dashes are used would require the person sending the email to encrypt it before it could be sent or to remove the nine-digit number sequence with the dashes.
But wait, it gets worse.
The veteran dutifully notified everyone about the breach, but things started to get ugly when the Wisconsin Dept. of Veterans Affairs started demanding that he and his advocate destroy all the records.
The veteran responded in an email obtained by News 3 that multiple groups were investigating the matter and he wanted to know if he was being asked to “destroy evidence.”
His answer came less than a month later when he and his advocate were sued in Dane County Circuit Court, in an effort to compel them to destroy all evidence of the email and the attachment.
And if that doesn’t frost your cookies, consider this: when the 637 veterans whose names and file numbers were in the attachment were notified of the breach and offered credit monitoring, they were told that the incident was a “one-time disclosure to one unauthorized individual, who is a Veteran.”
However, less than a week after that, the department’s own investigator determined that the data report inappropriately sent on April 1 had also been sent to “unaccredited recipients.”
Not only that, but apparently the USDVA Network Security Operations Center was “already aware of the problem of certain emails making it past the filter.”
Digging into it all further, News 3 found (unsurprisingly) that the April 1 incident was not an isolated incident at all.
On at least three other occasions (June 1, 2014, Oct. 1, 2014 and Dec. 1, 2014), the same data report was also sent unredacted to “unaccredited recipients,” or as defined by the VA, people who are not trained to view such personally identifiable information. In fact, the administrator doing the internal investigation is himself “unaccredited,” according to USDVA documents, and thus, not supposed to look at personally identifiable information of Wisconsin veterans such as the material erroneously sent.
You’d think that by now, the VA would have gotten its act together on this stuff. How is that these veterans’ information has been sent out without proper protections on at least four occasions to unaccredited recipients? If I was one of these veterans, I think I’d be looking for a lawyer to sue the VA already.
You can read Schrager’s full news story on Channel3000.com.