[Dataloss] follow-up: VA sets aside $20 million to handle latest data breach

[security curmudgeon]

---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>

http://www.govexec.com/story_page.cfm?articleid=37191

By Daniel Pulliam
govexec.com
June 14, 2007

The Veterans Affairs Department has set aside more than $20 million to 
respond to its latest data breach, the agency's top technology officer 
said Thursday.

The department does not expect to spend the full $20 million, but 
designated that much because the breach potentially puts the identities of 
nearly a million physicians and VA patients at risk, said Bob Howard, the 
department's chief information officer. Howard spoke at The E-Gov 
Institute's Government Health IT Conference and Exhibition in Washington.

"We have no evidence that [information is at risk]. None whatsoever, but 
we don't take the chance," Howard said. "The attitude of the VA right now 
is if we think we've put anybody's information at risk, then we need to 
step up to the plate and try to remedy that."

The breach occurred in January, when a hard drive went missing from a 
Birmingham, Ala., VA medical research facility. The drive contained highly 
sensitive information on nearly all U.S. physicians and medical data for 
more than a half million VA patients. Any physician who billed Medicaid 
and Medicare through 2004 could be affected.

The hard drive has not been recovered. The VA estimates that about half of 
the 1.3 million doctors whose information was on the hard drive, and 
254,000 veterans, are potentially at risk. This group was notified by mail 
at the end of May. The letters noted that VA is providing credit 
monitoring services through a General Services Administration blanket 
purchase agreement from the multiple award schedules program.

[..]