11 August 2006

The VA Loses ANOTHER Computer!

From SecurityMonkey ("Chief") at A Day in the Life of an Information Security Investigator (the comments are his):

I nominate this week as "clueless monkey week". First, AOL gives away search data and now the United States Veteran's Administration admits that it's missing another computer that contains sensitive personal information of U.S. Veterans!

From the eWeek article, here are some memorable quotes:
Burns said that the information on the missing computer included veterans' names, addresses, Social Security numbers and birth dates, as well as insurance carriers, billing information and details of military service.

He said the information came from about 5,000 patients at a Philadelphia VA Medical Center, about 11,000 from Pittsburgh, Pa., and about 2,000 deceased patients.

In addition, the VA said it believes that about 20,000 more who received care at the Pittsburgh Medical Center may be included.
Holy smokes. Not only is that a lot of data, but some of the victims are dead! This is an identity thief's dream!

It gets better:
"I can't give out details, but it was a desktop computer," Davies said.
Somebody walked out of a semi-secure Unisys office with a desktop computer?
He said that the contract requirements mandated that the computer have a password for the computer itself, and a separate password for the database that contained the missing names. Davies also noted that Unisys met all applicable HIPAA requirements.

"The building is a fairly secure facility," Davies said.
Password for the computer itself: okay, that takes about two minutes to remove.

Separate password for the database: depending on the database, this may or not take longer than two minutes.

Unisys met all applicable HIPAA requirements? Like that's saying anything. HIPAA Security is a set of GUIDELINES that don't give any SPECIFIC requirements at all. If I were a veteran seeking medical care, I think I'd go to Canada after reading this.

I love the quote from their security consultant:

Security consultant David Taylor says Unisys is doing the right thing.

"Here's a case where a well-respected organization with proper security got hit," he said.

"Imagine what it's like for organizations that don't have security in place. If Unisys wasn't so diligent, it wouldn't have been reported," he said.
Proper security? Unisys diligent? They got caught with their pants down, and it's far better to disclose immediately than try to hide the theft of customer data (especially federal employee data!).

I know ITToolbox may not condone gambling, but I hereby open up the "SecurityMonkey VA Lost Computer Betting Center". Yes, that's right folks place your bets. When is the VA going to lose another machine? Whoever comes the closest wins the pot!

Enjoy your day (unless you're a veteran, apparently),

Chief
Post a Comment