Computer Stolen From VA Subcontractor
Monday, August 7, 2006; 4:54 PM
The Veterans Affairs Department today confirmed that a subcontractor, Unisys Corp., had informed the department that a desktop computer containing sensitive personal information of veterans is missing from the company's offices. It is the second VA data compromise in three months.
Unisys said the desktop computer contained billing records with information for veterans who sought treatment at two VA medical centers, one in Philadelphia and one in Pittsburgh. The information includes names, address, Social Security numbers and dates of birth. It does not include personal financial information.
"The data were used only for insurance collections management purposes and may include insurance carrier and billing information as well as claims data with some medical information," Unisys said in a statement.
Unisys was hired to assist in insurance collections for VA's medical centers in Pittsburgh and Philadelphia.
"VA's inspector general, the FBI and local law enforcement are conducting a thorough investigation of this matter," said VA secretary James Nicholson.
Earlier, the offices of New Jersey Republican Reps. Frank LoBiondo and Jim Saxton confirmed that local, state and federal law enforcement, including the FBI, are investigating the theft of a desktop computer from the contractor's office. VA notified the congressmen's offices Friday evening that information for veterans living in the Pittsburgh, Philadelphia and Southern New Jersey areas might be compromised.
Unisys notified VA Aug. 3 that the computer was missing from its Reston, Va., offices. VA immediately dispatched a team to Unisys to assist in the search for the missing computer and to help determine the precise nature of the information it may have contained.
Unisys had observed security controls, but there was not a requirement to encrypt the data, said Unisys spokeswoman Lisa Meyer.
"The building and floor where the computer was located require security protocols for physical access. Log-in and password protocols also were required to access the data, which were stored in a database on the computer," she said.
"Unisys takes very seriously its responsibility to safeguard individuals' personal information and shares the concerns this incident will cause," the company said. It will also work with VA regarding the notification of potentially affected veterans and the offer of credit monitoring.
While the investigation is in an early stage, VA believes the records involved are limited to people who received treatment at the two Pennsylvania medical centers during the past four years.
Initial estimates indicate the desktop contained information on approximately 5,000 patients treated at Philadelphia, approximately 11,000 patients treated at Pittsburgh and approximately 2,000 deceased patients. VA is also investigating the possibility the computer may have contained information on approximately 20,000 other people who received care through the Pittsburgh medical center.