VA Knew Early About Data Theft
Saturday, May 27, 2006
Senior officials at the Department of Veterans Affairs knew that sensitive personal information about veterans had been stolen from a VA employee's home within hours of the crime but did not tell Secretary Jim Nicholson until 13 days later, according to a VA briefing document.
Michael H. McLendon, VA deputy assistant secretary for policy, learned of the May 3 burglary less than an hour after the worker reported it to his supervisors and to Montgomery County police, according to the briefing document, given to congressional committees this week and obtained yesterday by The Washington Post. McLendon met with two high-ranking VA information security specialists the next day.
Among items stolen from the Aspen Hill home was an external computer hard drive that VA officials say contained the unencrypted names, birthdates and Social Security numbers of 19.6 million to 26.5 million veterans.
The 12-page timeline provides the first detailed accounting of how VA officials reacted to one of the nation's largest information security breaches, an institutional failure that ignited anxiety and anger among millions of veterans concerned about identity theft.
It also reveals new details about the 60-year-old man at the heart of the scandal. He is a senior-level career employee working as an information technology specialist in the Office of Policy. As a GS-14 level employee, he earns between $91,407 and $118,828 a year.
In a meeting with McLendon two days after the theft, the employee "assumed full responsibility, acknowledging he knew he should not have taken the data out of the office," the summary says. James J. O'Neill, VA deputy assistant inspector general for investigations, said in an interview yesterday that the employee is cooperating fully in the investigation. "He reported it [the theft] immediately, and he certainly could have kept it quiet," O'Neill said.
According to the document, Dennis M. Duffy, acting assistant secretary for policy, planning and preparedness, was told of the theft May 5. Duffy asked VA computer security specialists to determine the extent of the data lost and three days later asked them to draft a memo. McLendon convened a meeting of the Office of Policy staff May 9 to stress the importance of data security and had the data analyst discuss his experience.
It was not until that day, May 9, that Duffy informed VA Chief of Staff Thomas Bowman about the theft, suggesting that senior management should discuss the department's obligations to notify veterans whose data may have been compromised. Bowman told Deputy Secretary Gordon Mansfield, the department's No. 2 official, the next afternoon, but neither man informed Nicholson until May 16, the document shows.
Nicholson told the White House that day but did not inform Congress or the public until six days later, on May 22.
"What the timeline shows is that, once he was informed, the secretary acted quickly, decisively and in the best interest of veterans," said Matt Burns, a VA spokesman.
Burns also said that Mansfield, who predates Nicholson at the department and is a former executive director of Paralyzed Veterans of America, was told May 10 only that "thousands" of veterans' records may have been compromised. He directed the staff to get more information, Burns said.
"Deputy Secretary Mansfield was not made aware of the full scope and extent of what those records included until the same day the secretary found out," Burns said.
Members of Congress criticized the department's security practices and sluggish response. Some lawmakers and veterans groups have demanded that VA leaders resign or be fired.
"Secretary Nicholson's lack of knowledge about the handling of personal data within his own agency is shameful," said Rep. John T. Salazar (D-Colo.), who has introduced a bill that would provide veterans one year of free credit monitoring. "And the agency's two-week coverup of the data theft has been completely irresponsible. . . . The people in charge, like Secretary Nicholson, need to be held accountable."
Jim Mueller, head of Veterans of Foreign Wars of the United States, said in a statement yesterday that the entire episode "reflects a serious lack of leadership, management and accountability" in the department.
"To not inform your boss of what can only be described as the worst crisis in the VA's history is unconscionable, inexcusable and does tremendous injury to America's veterans," Mueller said. "These individuals cannot be trusted to fix what they allowed to happen."