The news is abuzz this week about an agency that’s no stranger in the data breach world: the Veterans Administration. Recall that back in 2006 the VA suffered a breach that threatened 26.5 million vets, via laptop theft. The Federal Times reports that that VA is investigating reports of a former VA physician’s assistant who stored unauthorized personal patient data on a personal laptop.

However, the details are certainly still emerging. NextGov had a blog entry on 3/8 that “broke” the story (or was at least an early reporter). Then, VA CIO Roger Baker posted a comment to that blog entry itself (scroll to the bottom), correcting some information:

——-
Hi Bob: I need to correct your posting. The employee in question was never able to connect her unencrypted laptop to the VA network. Port blocking technologies are enforced in Atlanta, and she was denied access. Thus, no “downloading” of information ever occured. Any information existant on the personal laptop was hand entered, and as you point out this violates all kinds of policies and training at the VA. Thanks for correcting this post. VA has come a long way in protecting Veterans’ information since 2006.

Roger Baker   03/08/10 11:27 pm ET
——-

The next day, another blog post at NextGov mentioned that it is still suspected that the PA accessed data including three years of patient data, plus another 18 years’ worth, and may have accessed them using two thumb drives (not hand entered).

It’s all speculation for now–that’s why we have investigations.

But the commentary is certainly raising the same question that typically surfaces in these situations, regarding “policies and procedures” in place and the frequency with which policies and procedures are broken. In the VA’s defense, it does sound as if much technology, including encryption, has been put in place to raise the bar of protection far beyond reliance upon employees to respect the rules.

This ought to be an interesting case to watch. Thanks go to Jake K over at DataLossDB for the heads up.