Laptops stolen from Veterans Affairs, N.M. Medicaid contractors were not encrypted

Will people ever learn?

Two recently disclosed potential breaches of health data in government health programs, potentially impacting more than 10,000 patients, were the result of stolen, unencrypted laptops belonging to contractors.

The Department of Veterans Affairs said that a laptop stolen from an unspecified contractor's car April 22 contained unencrypted, personally identifiable information of about 644 veterans. And New Mexico's Health and Human Services Department reported last week that an employee of West Monroe Partners, a subcontractor that processes dental claims for Medicaid enrollees, had an unencrypted computer in the trunk of a car stolen in Chicago March 20. That computer may have contained data on 9,600 beneficiaries, Government Health IT reports.

In the VA theft, "The contractor self-reported the incident and has disabled the user account and server access from the stolen laptop. No further access from this laptop is possible," VA spokeswoman Katie Roberts said in a statement, according to Government Health IT.

Still, the news incensed Rep. Steve Buyer (R-Ind.), the ranking member of the House Veterans Affairs Committee, because a law passed in the wake of a major breach in 2006 that threatened the privacy of 26.5 million veterans and their spouses requires VA contractors to encrypt health data on laptops. The breach indicates that the "VA lacks focus on its primary responsibility of protecting veterans' personal information," Buyer writes in a May 12 letter to VA Secretary Eric Shinseki.

"We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use," he adds.

For more information:
- see this Government Health IT story
- have a look at this NextGov report
- see this letter from Buyer to Shinseki (.pdf)