I posted this yesterday to DataBreaches.net, but am posting it here, too, because even though the coverage so far doesn’t specifically mention that veterans’ health data were involved, it is a distinct possibility. Also, in updates to this story, it seems that the April 22 laptop theft affected 616 veterans, not 644 as originally reported:
Bob Brewin reports on a breach that I don’t think we knew about here:
A laptop belonging to a contractor working for the Veterans Affairs Department was stolen earlier this year and the personal data on hundreds of veterans stored on the computer was not encrypted, a violation of a VA information technology policy, said the top-ranking Republican on the House Veterans Affairs Committee.
The VA reported the theft of the laptop from an unidentified contractor to the committee on April 28 and informed members the computer contained personally identifiable information on 644 veterans, including data from some VA medical centers’ records, according to a letter Rep. Steve Buyer, R-Ind., sent to VA Secretary Eric Shenseki.
The VA declined to identify the contractor:
The laptop was stolen from a contractor employee’s car on April 22, and she notified local police within 10 minutes, said Roger Baker, chief information officer at VA, in an interview. Although the vendor had certified to VA that it had encrypted laptops that stored department data, Baker confirmed the data on the stolen laptop was unencrypted.
The vendor, who Baker declined to identify because he said it would make it more difficult for contractors to report future data breaches if they knew their name would be made public, reported the theft to VA on April 23.
So contractors for entities covered by HIPAA/HITECH have their names made public by HHS but the VA decides it can withhold the contractor’s identity? If that laptop contained any unprotected health information on the veterans (and the laptop had access to medical center data), then the contractor *will* be publicly identified on OCR’s site (unless it’s a “private practice” contractor), as over 500 individuals were affected. In any event, I firmly believe that all contractors who leave laptops with unencrypted PII or PHI in a vehicle for stealing should be publicly named, at the very least.
But the news is even worse:
After learning about the unencrypted laptop, Buyer investigated how many VA contractors might not be complying with the encryption requirement and learned that 578 vendors had refused to sign new contract clauses that required them to encrypt veteran data on their computers, an apparent violation of rules.
Buyer told Shinseki that the vendor had 69 contracts in more than half of the department’s 21 regional medical networks operated by the Veterans Health Administration, and 25 of those contracts, more than a third, did not have a clause that required data be encrypted.
Note that it’s not totally clear to me whether the vendor with 69 contracts is the same contractor that had the laptop stolen with 644 veterans’ info on it. Representative Buyer’s letter indicates that there were two breaches in Texas in the past two weeks and he prefaces the comments about the vendor with 69 contracts saying, “The most current breach involved a service disabled veteran owned business that had an unencrypted laptop stolen.” Was this the same laptop theft or the second one? It may be the second one alluded to. It really would help if they would name the vendors!
Read the full news coverage on Nextgov.