VA Data in Format Not Widely Used

By Christopher Lee
Washington Post Staff Writer
Thursday, June 1, 2006

The sensitive personal information of 26.5 million veterans that was stolen from a Department of Veterans Affairs data analyst last month was stored in a format that could make it difficult for thieves to use, according to an internal VA memo.

In the May 5 memo, VA privacy officer Mark Whitney wrote that the critical data "may not be easily accessible" because most of it -- including names, birth dates and Social Security numbers -- was stored in a specialized, standard format used for data manipulation and statistical analysis.

The format "requires specialized application software and training" to write computer code "to access and manipulate the data for use," Whitney wrote in the memo, obtained yesterday by The Washington Post.

Ari Schwartz, deputy director of the nonprofit Center for Democracy and Technology, a privacy group, said Whitney is generally right that the information would be hard to extract.

It would be easier, however, if the laptop stolen along with an external hard drive and several data disks has the software needed to view the data, he said. "This is not nearly the type of protection they would have had if they had followed basic security procedures and encrypted this," Schwartz said.

The Whitney memo, dated two days after the burglary at the analyst's Aspen Hill home and distributed to several high-ranking VA officials, provides the first public indication that some addresses and telephone numbers were among the stolen data; it refers to such information being part of electronic files of a national survey of about 20,000 veterans in 2001.

Also stolen was an electronic spreadsheet with 6,744 records about "mustard gas veterans" -- generally, veterans who took part in chemical warfare tests during World War II. Another stolen file contains as many as 10 diagnostic codes from the treatment file of one veteran who visited the VA health-care system on 57 dates.

"These type of data contain more than limited financial information, the codes contain information about veterans' medical conditions," Rep. Bob Filner (D-Calif.) said in a statement. "It is not appropriate for this information to ever enter the public domain."

Matthew Burns, a VA spokesman, said the department has been "focused on getting notification to veterans that some of the most sensitive data was out there."

Also yesterday, VA Secretary Jim Nicholson announced that he had named Richard M. Romley, a former prosecutor from Maricopa County, Ariz., as his new special adviser for information security. Romley, a Marine Corps veteran, will evaluate the department's computer security procedures and recommend improvements.

The move follows the resignation last week of Michael H. McLendon, a VA deputy assistant secretary who learned of the May 3 burglary within hours of the crime but did not immediately tell top-ranked officials.

Nicholson announced Tuesday that the employee will be fired and that Dennis M. Duffy, who has been acting assistant secretary for policy and planning, had been placed on administrative leave. The employee worked in McLendon's office, and Duffy was in charge of the division in which both worked.

Nicholson learned of the information breach on May 16 and told the public on May 22, nearly three weeks after the crime.

© 2006 The Washington Post Company