BREACH INVOLVES PERSONAL INFORMATION OF 1.3 MILLION PHYSICIANS & 535,000 VETERANS

Washington, Feb 28, 2007 - On January 22, 2007, an employee of the VA hospital in Birmingham, AL, lost control of the sensitive data of 535,000 veterans and 1.3 million non-VA physicians from Center for Medicare Services (CMS) files on loan to the veterans hospital. The compromised information includes the names of physicians, their Universal Provider Identification Numbers (UPINs), and state medical license numbers. It is not known if the data were lost or stolen. This follows a breach last year at the VA that compromised the data of some 26.5 million veterans and 2.5 million active duty and family members. The House Veterans' Affairs Oversight & Investigations Subcommittee held a hearing today on this breach.

"Between 1998 and 2005, the General Accounting Office identified weaknesses in data security and made over 150 recommendations to the VA on implementing effective controls on information security," stated Rep. Cliff Stearns (R-Ocala). "The VA's own Office of the Inspector General (OIG) has published reports on information security at the department annually, and I am concerned that the same 16 recommendations from fiscal year 2004 remain unaddressed. Three critical areas of concern were highlighted in the OIG's latest report, concluding that the VA is vulnerable to: disrupting virus attacks; disruption of mission-critical systems; and unauthorized access to sensitive data."

Stearns has called for holding VA official accountable for data security and VA official pledged to tighten security in response to last year's security breach. "The VA has the capability of storing encrypted data and to prevent unauthorized access though passwords, yet the data loss in Birmingham was not encrypted and stored on a vulnerable external drive," added Stearns. "Officials at the highest level need to make a commitment to changing the VA culture that fails to secure this personal information."

In response, Stearns called for an outside audit and investigation to determine the extent of past breaches at the Birmingham VA hospital.