Here are some questions you may have about the Department of Veterans Affairs data security incidents, and their answers. Frequently Asked Questions—August 2006 Data Security Incident What Happened and How Does this Affect Me? How did this happen? VA learned on August 3rd that a computer was missing from Unisys, a subcontractor that provides software support to the Pittsburgh and Philadelphia VA Medical Centers. The computer contained insurance claim data for some patients treated in these two facilities or their community clinics. It is important to note that we have no reason to believe the computer was stolen for the purpose of gaining veteran information or that the information has been or will be used inappropriately. Why did this company have this information on the computer? The Unisys system is used by the Pittsburgh and Philadelphia VA Medical Centers to help sort and track insurance claims that have been billed to insurance companies. What information was included? We believe that for the veterans affected, the information included name, and some or all of the following: date of birth, Social Security Number, address, insurance carrier and other insurance claim related information. How do I know if my information was on the computer? Unisys provided VA with a list of patients whose information may have been on this computer. Letters were sent to these individuals. The list includes approximately 16,000 living individuals and approximately 2,000 now deceased, who received care either at Pittsburgh VA medical center over the last four years or the Philadelphia VA medical center since 2005, and who had third party insurance that was billed for that care. I am the spouse, widow, or child of a veteran. Was my information contained on the computer? At this time, we believe that only one TRICARE dependent may have had information on this computer. This individual will be notified by the VA and receive information that is also being provided to other potentially affected veterans. Who Has Access to Veteran Information? Is it a common practice to allow data of this nature to be accessed by private contractors? VA sometimes contracts with companies to provide certain services that enable VA to provide better service to veterans. Some of these VA contractors have veteran information on their computers. All contractors are bound by regulations that limit their use of this information to what they need to provide their service. We are working with our contractors to insure our veterans' data receives the highest standard of security and privacy protection. What Should I Do? What should I do to protect myself? Do I have to close my bank account or cancel my credit cards? At this time we have no confirmation of misuse of veteran information resulting from the Unisys loss. Because Social Security Numbers were on this computer, we advise individuals to monitor financial accounts continuously for suspicious activity as a matter of good practice. For tips on how to guard against misuse of personal information, visit the Federal Trade Commission website at http://www.ftc.gov/. You do not have to close your bank account or cancel your credit cards. You should however take steps to protect yourself against identity theft. We advise you to monitor your financial accounts continuously for suspicious activity. One way to monitor your financial accounts is to review your credit report. By law you are entitled to one free credit report each year from each major credit bureau. Request a free credit report from one of the three major credit bureaus-Equifax, Experian, TransUnion-at www.AnnualCreditReport.com or by calling 1-877-322-8228. What is identity theft? At this time we have no confirmation of misuse of veteran information resulting from this incident. Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes. What should I do if I detect a problem with any of my accounts? Act quickly. Notify local law enforcement. Contact one of the three credit bureaus to place a 90-day fraud alert on your credit report. That bureau will notify the other two bureaus to flag your file. A fraud alert flag tells creditors to follow additional procedures before opening new accounts in your name or changing existing accounts. - Equifax–1-800-525-6285
- Experian–1-888-397-3742
- TransUnion–1-800-680-7289
Where can I get more information? As it becomes available, information will be posted at www.FirstGov.gov and www.va.gov. For more information about the Unisys incident, contact the Veterans Health Administration at 1-800-949-1001, extension 4209. Will credit monitoring be offered? Unisys Corporation is offering free credit monitoring to individuals whose information is believed to have been on its missing computer. Letters were mailed at the end of August to affected individuals providing details on how to get free credit monitorig. What Is VA Doing About the Situation? What is VA doing about this? The VA Inspector General has launched a full-scale investigation. VA mailed notification letters on August 10, 2006 to individuals whose information is known to have been on the missing computer. When will VA be sending me a letter? VA is sending letters to all those identified as possibly having their information included on the missing computer. These letters were mailed on August 10, 2006. What will be done to prevent this from happening in the future? VA has safeguards in place to protect private information. We provide ongoing privacy training to all employees. VA has taken action to rectify this unfortunate situation, and is working to insure our veterans' data receives the highest standard of security and privacy protection.
Here are some questions you may have about the May 2006 Veterans Affairs data security incident, and their answers. Frequently Asked Questions—May 2006 Data Security Incident What Happened and How Does this Affect Me? What happened? In May 2006, VA learned that an employee, a data analyst, took home electronic data from VA that was stored in his home on a laptop computer and external hard drive. He was not authorized to take this data home. This behavior was in violation of VA policies. The employee's home was burglarized and the computer equipment, along with various other items, was stolen. The electronic data stored on this computer included identifying information for millions of veterans. Authorities believe the computer equipment, rather than any data on it, was the target of the theft. The stolen equipment has been recovered and the Federal Bureau of Investigation (FBI) has determined with a high degree of confidence through forensic testing that information stored on the stolen laptop and external drive was not accessed or compromised. What action has been taken against this employee or his supervisor? The employee is cooperating fully with the investigation. The employee was initially placed on administrative leave, and VA then implemented procedures necessary to dismiss the employee. Also, the official responsible for the organization in which this employee served has resigned his position because of the events. What information was included? The data lost is primarily limited to an individual's name, date of birth, and social security number. In some cases, spousal information may have been included. However, this information alone may be useful to identity thieves, and we recommend that all veterans, servicemembers, and reservists be extra vigilant in monitoring for signs of potential identity theft or misuse of this information. Importantly, the affected data did not include any of VA's electronic health records or any financial information. See June 6, 2006, News Release on New Information Involved in Data Loss VA says that the information stolen included disability ratings. What information does that include? The information stolen did not include medical information about any veteran, servicemember, or reservist, nor did it include VA's electronic health records. For some veterans who have applied for VA disability compensation benefits and have been determined by VA to have a disability related to their military service, the data may have included the number of service-connected disabilities a veteran has and the veteran's overall disability percentage rating. No other information related to any veteran's disability rating was included. Will I still get my monthly benefit payment? Yes. There will be no impact on benefit payments. Have any lawsuits been filed against VA because of the data loss? Yes. Several lawsuits have been filed against VA pertaining to the data theft. All of these lawsuits have been filed as class actions. VA is currently aware of the following suits filed in U.S. district courts: - Paul Hackett, et al., v. U.S. Department of Veterans Affairs, et al., Civil Action No. 2:06-cv-114 (WOB) (United States District Court for the Eastern District of Kentucky) (Lead plaintiffs' counsel-Marc D. Mezibov, Esq., Mezibov & Jenkins, Co. L.P.A., 401 East Court Street, Suite 600, Cincinnati, Ohio 45202;
- Michael Rosato, et al., v. R. James Nicholson, Secretary of Veterans Affairs, et al., Civil Action No. 06-3086 (United States District Court for the Eastern District of New York) (Lead plaintiffs' counsel-Joseph H. Weiss, Esq.; Mark D. Smilow, Esq.; and Richard A. Acocelli, Esq., Weiss & Lurie, 551 Fifth Avenue, New York, New York 10176;
- Vietnam Veterans of America, Inc., et al., v. R. James Nicholson, Secretary of Veterans Affairs, et al., Civil Action No. 1:06-cv-01038 (JR) (United States District Court for the District of Columbia) (Lead plaintiffs' counsel-L. Gray Geddie, Esq., and Douglas J. Rosinski, Esq., Ogletree, Deakins, Nash, Smoak & Stewart, P.C., 1320 Main Street, Columbia, South Carolina 29201-3266.
Recovery of Stolen Laptop? I heard news reports the computer laptop and hard drive stolen from a VA employees home was recovered by law enforcement. Is this true? Yes. On Thursday, June 29, 2006, Veterans Affairs Secretary R. James Nicholson announced that law enforcement authorities have recovered the laptop and external hard drive stolen in early-May from a VA employee's home. Do authorities believe the information was copied or accessed while it was missing? The stolen equipment has been recovered and the Federal Bureau of Investigation (FBI) has determined with a high degree of confidence that information stored on the stolen laptop and external drive was not accessed or compromised. What Should I Do? What should I do to protect myself? Do I have to close my bank account or cancel my credit cards? The stolen equipment has been recovered and the Federal Bureau of Investigation (FBI) has determined with a high degree of confidence that information stored on the stolen laptop and external drive was not accessed or compromised. VA plans to hire a company to perform data breach analysis, which will look for patterns of misuse of veterans' data to provide additional assurances that no data has been misused. The Department of Veterans Affairs believes it is good practice for all veterans to be extra vigilant and to carefully monitor bank statements, credit card statements, and any statements relating to recent financial transactions, and to immediately report any suspicious or unusual activity. For tips on how to guard against misuse of personal information, visit the Federal Trade Commission website at http://www.ftc.gov/. You do not have to close your bank account or cancel your credit cards. You should, however, take steps to protect yourself against identity theft. One way to monitor your financial accounts is to review your credit report. By law you are entitled to one free credit report each year. Request a free credit report from one of the three major credit bureaus – Equifax, Experian, TransUnion – at www.AnnualCreditReport.com or by calling 1-877-322-8228. What do you mean by suspicious activity? Suspicious activities could include the following: - Inquiries from companies you haven't contacted or done business with
- Purchases or charges on your accounts you didn't make
- New accounts you didn't open or changes to existing accounts you didn't make
- Bills that don't arrive as expected
- Unexpected credit cards or account statements
- Denials of credit for no apparent reason
- Calls or letters about purchases you didn't make
What is identity theft? Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes. I haven't noticed any suspicious activity in my financial statements, but what can I do to protect myself and prevent being victimized by credit card fraud or identity theft? VA strongly recommends that veterans closely monitor their financial statements and review the guidelines provided on this web page (http://www.firstgov.gov/veteransinfo) or call 1-800-827-1000. Should I reach out to my financial institutions or will the Department of Veterans Affairs do this for me? VA does not believe that it is necessary to contact financial institutions or cancel credit cards and bank accounts, unless you detect suspicious activity. What is the earliest date at which suspicious activity might have occurred due to this data breach? The VA employee's home was burglarized and the computer equipment was stolen on May 3, 2006 and recovered on June 28, 2006. If the data has been misused or otherwise used to commit fraud or identity theft crimes, it is likely that affected groups would have noticed suspicious activity beginning in the month of May. What should I do if I detect a problem with any of my accounts? The Federal Trade Commission recommends the following four steps if you detect suspicious activity: Step 1 – Contact the fraud department of one of the three major credit bureaus: - Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
- Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9532, Allen, Texas 75013
- TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
Step 2 – Close any accounts that have been tampered with or opened fraudulently. Step 3 – File a police report with your local police or the police in the community where the identity theft took place. Step 4 – File a complaint with the Federal Trade Commission by using the FTC's Identity Theft Hotline: - By telephone: 1-877-438-4338
- Online at www.consumer.gov/idtheft
- By mail at Identity Theft Clearinghouse, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington DC 20580.
Where can I get more information? Please check this web page (http://www.firstgov.gov/veteransinfo) for further updates or call the Department of Veteran's Affairs at 1-800-827-1000. What are my remedies if my identity is stolen and used illegally? The Federal Trade Commission has produced a booklet to help you remedy the effects of an identity theft. It describes what steps to take, your legal rights, how to handle specific problems you may encounter on the way to clearing your name, and what to watch for in the future. The contents of the booklet, Taking Charge: Fighting Back Against Identity Theft, are available online at http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm. Can Social Security put a flag on my number? No, unlike the credit bureaus, the Social Security Administration (SSA) cannot put a flag or security alert of any type on your Social Security number. To report that someone is using your Social Security number, file a complaint with the Federal Trade Commission by using the four steps outlined above: - Internet: www.consumer.gov/idtheft
- Telephone: 1-877-IDTHEFT (1-877-438-4338)
Can I get a new Social Security number? SSA will not issue you a new Social Security number as a precaution, if you are concerned or think your number may have been stolen as part of the VA data theft. SSA assigns a new Social Security number in rare cases, and only if the number holder provides evidence that the old number has been used with criminal or harmful intent and that the misuse has caused the number holder to be subjected to recent economic or personal hardship. The letter from VA warns individuals to guard against "phishing" efforts and telephone solicitations asking for personal information. What does this mean? "Phishing" is a term that relates to unsolicited messages that individuals receive on their computers. "Phishers" send an e-mail or pop-up message that claims to be from a business or organization that you may deal with - for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message may ask you to "update," "validate," or "confirm" your account information. Some "phishing" e-mails threaten a dire consequence if you don't respond. The messages direct you to a website that looks just like a legitimate organization's site. But it isn't. It's a bogus site whose sole purpose is to trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name. VA also warns individuals to beware of telephone solicitations by people who claim to be from VA or other trustworthy sources asking you to give personal information or to verify or correct personal information. VA, other government agencies, and legitimate organizations will not contact you to ask for or confirm your personal information. If you receive such communications, report them to VA though this toll free number: 1-800-827-1000. If I need a police report to claim identity theft, where do I get that? Individuals who are victims of actual identity theft should not have a problem filing a local police report about the incident. The Federal Trade Commission advises consumers who are victims of identity theft to get a copy of the police report or at the very least, the number of the report. It can help you deal with creditors who need proof of the crime. If the police are reluctant to take your report, ask to file a "Miscellaneous Incidents" report, or try another jurisdiction, like your state police. You also can check with your state Attorney General's office to find out if state law requires the police to take reports for identity theft. Check the Blue Pages of your telephone directory for the phone number or check www.naag.org for a list of state Attorneys General. Information about steps to take if you are a victim of identity theft is available online at www.consumer.gov or by calling the Federal Trade Commission at 1-877-IDTHEFT (1-877-438-4338). What do I do if the local police won't take a report? In order to file a police report, you must show you have suffered an actual identity theft or harm due to fraudulent activity or misuse of account information. If you have experienced identity theft or harm, the Federal Trade Commission (FTC) suggests providing as much documentation as you can to prove your case, including debt collection reports, credit reports, or other evidence of fraudulent activity. Information about steps to take if you are a victim of identity theft is available online at www.consumer.gov or by calling the Federal Trade Commission at 1-877-IDTHEFT (1-877-438-4338). The FTC also suggests being persistent if local authorities tell you that they can't take a report. Stress the importance of a police report; many creditors require one to resolve your dispute. The FTC advises that if you're told that identity theft is not a crime under your state law, ask to file a Miscellaneous Incident Report instead. If you can't get the local police to take a report, try your county police. If that doesn't work, try your state police. Some states require the police to take reports for identity theft. Check with the office of your State Attorney General www.naag.org to find out if your state has this law. Can I get a copy of the police report about the stolen computer and veterans' data? We do not have access to any police reports or any other investigative reports filed as a result of this incident. The investigations by the police, VA's Inspector General, and the FBI are still ongoing. What Credit Monitoring Will VA Offer? Will VA offer free credit monitoring? Given the FBI's high degree of confidence that the information recently recovered was not accessed or compromised, VA believes that individual credit monitoring will no longer be necessary. As Secretary Nicholson has stated, VA remains unwavering in its resolve to become the leader in protecting personal information, training and educating its employees in best practices, and establishing a culture that always puts the safekeeping of veterans’ personal information first. While the FBI is highly confident this information has not been accessed, what will VA do to help protect veterans? Protecting veterans' private information remains a priority for VA. Out of an abundance of caution, and to further safeguard individuals' information, VA will work swiftly to provide data breach analysis. What is data breach analysis? Data breach analysis looks across multiple industries to detect patterns of misuse related to a specific data loss. While it is considered highly unlikely by the FBI and law enforcement that this data was accessed, data breach analysis will provide additional assurances. How will VA pay for data breach analysis? VA has funds in its budget that can be used for this purpose, and there will be no reduction in the quality of health care and other services provided to veterans as a result of this expenditure. What Else Is VA Doing About the Situation? How is information about this incident being shared? VA is providing as much information as we have about the incident and alerting veterans of the situation. We identified those who may have been affected and provided them more information. Veterans should continue to monitor this web page (http://www.firstgov.gov/veteransinfo) for further updates. You can also call the Department of Veteran's Affairs at 1-800-827-1000 for information. When will more information be available? Letters were sent to all affected veterans in June 2006 and August 2006. If information about you was included in the data that was stolen, you should have received a letter. Continue to visit this web page for updates. We will also continue to make public service announcements to publicize new information. We continue to urge veterans, servicemembers, and reservists to be vigilant in checking activities on their various accounts. What will be done to prevent this from happening in the future? VA is taking extensive steps to bolster training for employees on privacy and security of sensitive data. Strengthened policies and procedures to protect sensitive data are being put in place so that this does not happen again. VA is also working with other federal and commercial entities that have veteran information for business reasons to ensure they have appropriate safeguards to protect sensitive data. VA also has obtained data breach analysis services to further ensure no misuse of data occurs in the future. While it is highly unlikely that the data were accessed, data breach analysis will provide back-up assurances. What About the Letter VA Sent? To whom is VA sending letters? VA sent individual notification letters to veterans, servicemembers, and reservists whose personal information was included on the stolen computer equipment. When did the letters go out? Two letters were released — one in early June 2006 and another in late August 2006. If I didn't get a letter, does that mean I wasn't affected? If you did not get a letter, in all likelihood your identifying information was not part of the data that was on the stolen computer equipment. I have never contacted VA directly. How do you know my address? VA does not have current addresses for all affected individuals. However, the Internal Revenue Service (IRS) has agreed to forward all the letters to the affected veterans, servicemembers, and reservists. It is important to understand that the IRS has not disclosed your address or any other tax information to VA. VA identified the affected veterans to the IRS. The IRS is releasing the letters for VA. Can I give you my address to make sure you have it? We believe that virtually all affected veterans, servicemembers, and reservists will be contacted through the process we have established with IRS. We are therefore not taking addresses by phone. If you receive VA benefits or have a claim pending and would like to change your address with VA, please contact your local VA regional office by phone at 1-800-827-1000 or in writing. For a directory of VA Benefits and other offices, visit http://www1.va.gov/directory/guide/home.asp. I'd like to see the letters even though I didn't get them. Can you send them to me? VA sent the letters to potentially affected veterans, servicemembers, and reservists. A copy of the letters is available online at FirstGov.gov:
If you don't have access to the Internet, please call The Veterans Administration at 1-800-827-1000. News Releases from Veterans Affairs View VA News Releases for further background on Veterans Affairs Data Security Issue.
Page last updated September 6, 2006 | 
