Top VA Officials Criticized in Data Theft

By Christopher Lee
Washington Post Staff Writer
Wednesday, July 12, 2006

A career analyst and top officials at the Department of Veterans Affairs share the blame for the recent theft of sensitive personal data on millions of veterans, federal investigators said yesterday.

In a 68-page report, VA Inspector General George J. Opfer recommended that VA Secretary Jim Nicholson "take whatever administrative action deemed appropriate" to punish officials who were slow to report and investigate the May 3 theft of a laptop computer and an external hard drive from the analyst's Aspen Hill home.

Opfer wrote that new security measures since the theft are "a positive step" but are inadequate. Nicholson should establish "one clear, concise VA policy on safeguarding protected information," he wrote.

The report, the product of a nearly two-month investigation, included no new major findings about the theft and the department's handling of it -- subjects picked over for weeks in a series of congressional hearings and in news stories.

It did, however, unearth previously undisclosed details, such as that the stolen laptop itself contained no VA data, only the external drive did. The report also found that, contrary to testimony by VA officials, the thieves would not have needed to know how to use a statistical software program to view the data.

The laptop and hard drive were recovered last month by law enforcement. VA spokesman Matt Burns said the FBI informed the department yesterday that, after a battery of forensic tests, investigators had a "high degree of confidence" that the thieves had not accessed the data.

Robert Wallace, executive director of the Veterans of Foreign Wars, said the IG report underscored the "lack of leadership" at VA. Senior officials knew of the theft within an hour of when the employee reported it to local police, but Nicholson was not told until almost two weeks later. He did not inform the public until six days after that, on May 22.

"We're waiting for the secretary to act," Wallace said. "I want him to take every action he has to clean that place up. The secretary seems to be the poor guy sitting out on a limb; he's the last guy to know, and then he responds."

In a statement, Nicholson said that "VA has embarked on a course of action to wholly improve its cyber and information security programs." He added: "The IG's report confirms that we must continue with our aggressive efforts to reform the current system."

Nicholson earlier forced the retirement of Dennis Duffy, a longtime civil servant who was the acting assistant secretary overseeing the division in which the analyst worked. Michael McLendon, a political appointee who supervised the analyst, resigned from the department soon after Nicholson disclosed the theft to the public.

The analyst -- who the IG confirms took the data home without authorization -- has been notified of his termination, but he is challenging the firing. The analyst began taking the data home in 2003 for a self-described "fascination project" to test the accuracy of a survey of veterans by VA in 2001, the report said.

Rep. Lane Evans (Ill.), ranking Democrat on the House Committee on Veterans Affairs, said in a statement: "The Secretary testified before our Committee that he is 'mad as hell' about the data breach. He should be. His actions in light of these IG findings will tell us if those words were deeply felt or simply meant to engender sympathy under intense pressure."

© 2006 The Washington Post Company