Unencrypted thumb drive. "Those three words don't make VA CIOs happy," said Veterans Affairs Department CIO Roger Baker during his monthly data breach press briefing on Nov. 17.
An employee had used a personal thumb drive for work. It was found inside the Nashville regional benefits VA office by a guard after hours. The thumb drive became reportable when the guard took it home to find out what was on it.
As it turned out, information on 240 veterans was loaded on the thumb drive. The information included full names, Social Security Numbers, birth dates, addresses, health information and financial information. The guard's spouse, who has high security clearance through the DOJ and DEA, saw the information and knew it was sensitive information. The guard returned the drive to the VA the next morning.
The veterans on the thumb drive will be notified and will get an offer of credit protection services, Baker said, because their information went outside protected VA areas. To prevent recurrences, IT staff looked for other areas where the software that prevents people from plugging in unencrypted thumb drives had not been fully deployed. "We believe that we have discovered and remediated all of those at this point," he said. Where the incident occurred, you were not supposed to be able to plug in an unencrypted thumb drive inside the VA anyway, he added.
While the incident was largely good news because the problem was discovered inside the VA, "[t]he fact that [the data report] says unencrypted thumb drive is not news that makes a VA CIO happy at all," Baker said.
To learn more:
- read the report
- read the related article from FierceGovernmentIT and listen to the audio
EHR slip up blocks veteran's deployment
VA employee hoarded stacks of patient-related info at home
4,000 VA Social Security numbers potentially exposed in VA mismailing