In a statement, the VA said it believes the PC contains data on about 5,000 patients who received care at a Philadelphia medical center, and about 11,000 who were treated at a facility in Pittsburgh. The VA is investigating the possibility that the machine also has data on another 20,0000 patients from its Pittsburgh facility. The data on the PC is believed to include Social Security numbers, names, addresses, dates of birth, insurance information, dates of military service and medical claim information.
The Unisys theft comes on the heels of a widely publicized incident in May involving the theft of a VA laptop and external hard containing personally identifiable information on 26.5 million veterans and active-duty military personnel. The VA laptop was found about a month later and law enforcement officials believe that none of the sensitive data was even accessed by the thief. However, the VA's handling of the incident and slow response led to an internal investigation that resulted in a scathing report from the department's Office of the Inspector General last month.
VA officials learned of this new theft on Aug. 3 and sent a team of investigators to the Unisys office in Reston, Va., just outside Washington, D.C., to help in the search for the PC.
"VA's Inspector General, the FBI and local law enforcement are conducting a thorough investigation of this matter," R. James Nicholson, secretary of the VA, said in a statement. "VA is making progress to reform its information technology and cybersecurity procedures, but this report of a missing computer at a subcontractor's secure building underscores the complexity of the work ahead as we establish VA as a leader in data and information security."
The latest VA incident has raised the ire of a number of Congressmen, many of whom are working to pass data-breach bills.
"I am angered and outraged that while our veterans protect our nation's security, our nation is unable to protect their personal information," Rep. Frank LoBiondo (R-N.J.) said in a statement. "Twice in three months our veterans' personal information is found in peril. Decisive action must be taken now to install the necessary security protocols and prevent future breaches."
Security experts say that the VA thefts and similar incidents at other government agencies and private sector organizations are symptoms of a systematic problem: too much trust.
"The bigger an organization gets, the more at risk it is to insiders," said Brian Contos, chief security officer at ArcSight Inc., in Cupertino, Calif. "The more people there are with access, either physical or logical, the more opportunities there are" for malfeasance.
In the case of the most recent VA theft, the computer was taken from a secure facility owned by Unisys, a subcontractor two steps removed from the agency itself. Contos said that government agencies in general have been making strides in dealing with security issues, but the VA incidents show that many of them still are not paying attention to the right areas and asking the hard questions.
"Why is so much sensitive data being stored on things like laptops and PCs that can be carried out the door? You have to have real policies that have teeth and enforce them," Contos said. "The hardest thing to do is manage assets. You don't need an uberhacker to plug in an iPod and download tons of data."