Searchlight, NV — Senate Democratic Leader Harry Reid today issued the following statement, calling on Secretary of Veterans Affairs Jim Nicholson to resign after his department admitted to having lost the personal information of tens of thousands of veterans yet again. A fact sheet detailing the incompetence at the Department of Veterans Affairs is below.
“Less than a month after promising to make the VA the ‘gold standard’ in data security, Secretary Nicholson has again presided over loss of the personal information of thousands more veterans. Our brave troops, who risk their lives to protect our country, should not also have to fight to protect their personal data again and again. Unfortunately, this dangerous incompetence has become all too common in the Bush White House, and it has made America less safe.
“Enough is enough. From Iraq to the VA, it is time President Bush and his Republican Congress started demanding accountability on matters of national security. Secretary Nicholson must resign immediately and be replaced with an individual who will do more than talk, but deliver on the promises America makes to those who serve.”
Even More Dangerous Incompetence at the Department of Veterans Affairs
Veterans Affairs Loses Yet More Personal Data, Putting as Many as 38,000 at Risk for Identity Theft. “As many as 38,000 veterans may be at risk of identity theft because a Veterans Affairs Department subcontractor lost a desktop computer containing their sensitive personal data. VA Secretary Jim Nicholson said that Unisys Corp., a subcontractor hired to assist in insurance collections for VA medical centers in Philadelphia and Pittsburgh, reported the missing computer last Thursday. The computer was being used in Unisys offices in Reston, Va. It is not yet known what happened to the computer, Nicholson said, adding that local and federal authorities are investigating. The computer is believed to contain names, addresses, Social Security numbers, dates of birth, insurance carriers and claims data including medical information for veterans who received care at the hospitals in Philadelphia and Pittsburgh during the past four years.” [AP, 8/7/06]
After the Last Security Breach, Secretary Nicholson Promised Reform
Nicholson Said the VA Would Be the “Gold Standard” in Information Security. “Last October, I approved a major restructuring of information security within the department, far, far before this incident occurred and reached the light of day. This restructuring ordered the centralizing of almost all of the information technology within the department to come under the chief information officer. This process was and, of course, still is underway and will greatly facilitate control, training, responsibility and accountability. This consolidation of IT has been accelerated as a result of this incident. There have been several changes that have already been implemented and as we continue this effort, we can make the VA the gold standard in the area of information security, just as we’ve done in the area of electronic medical records. [Secretary Nicholson, Senate Veterans Affairs Committee Testimony, 7/20/06]
Nicholson Said the VA Would Be the Best in the Government on Protecting Personal and Health Information. “I’ve made it clear to all senior managers in the department that information security, cyber security and the reorganization of the office of information technology are top priorities. These senior leaders know that every employee must be committed to ensure the safety of Veterans’ personal information. Performance evaluations and executive bonuses will reflect the leaders’ and employees’ level of commitment. When I commit to becoming the gold standard, I mean VA must be the best in the federal government in protecting personal and health information, training and educating our employees to achieve that goal. The culture must put the custody of Veterans’ personal information first, over and above expediency, and I expect nothing less.” [Secretary Nicholson, Senate Veterans Affairs Committee Testimony, 7/20/06]
The Long Record of Dangerous Incompetence at the VA
VA Employee Allowed to Take Information Home for Years Before the Last Security Breach. “The employee, a data analyst, was authorized access to sensitive VA information in the performance of his duties and responsibilities. He said that he routinely took such data home to work on it, and had been doing so since 2003.” [Statement of R. James Nicholson, 5/25/06]
VA Knew for Years that Information Was at Risk but Did Nothing to Secure It. “In all four audits of the VA Security Program issued since 2001, we reported serious vulnerabilities that remain uncorrected. These reports highlight specific vulnerabilities that can be exploited, but the recurring themes in these reports are the need for centralization, remediation, and accountability in VA information security. Since the FY 2001 report, we reported weaknesses in physical security, electronic security, wireless security, personnel security, and FISMA reporting.” [Testimony of VA Inspector General George Opfer, 5/25/06]
Incompetence at the VA Goes Beyond Data Security
Nicholson Underestimated Funding for Veterans’ Health Care by at Least One Billion Dollars. “House Veterans Affairs Committee Chairman Steve Buyer (R-Ind.) and Veterans Affairs Secretary Jim Nicholson, who had both argued that the department could get through this year without additional cash, held a joint news conference to announce “immediate action” to fill a fiscal 2005 shortfall of at least $1 billion, and another shortfall of at least $1.5 billion in the House-passed appropriation for VA health care in fiscal 2006. Nicholson told lawmakers Tuesday that the administration had vastly underestimated the number of service personnel returning from Iraq and Afghanistan who would seek VA medical treatment.” [Washington Post, 6/30/05]
Nicholson Repeatedly and Incorrectly Assured Congress that VA had Adequate Funds for Veterans’ Health Care. An April 5 letter written by Nicholson to the Senate stated: “I can assure you that VA does not need emergency supplemental funds in FY2005 to continue to provide timely, quality service that is always our goal.” [Washington Post, 6/24/05]
Secretary Nicholson Has Not Been Forthcoming on Data Security
Secretary Nicholson Grossly Underestimated the Number of the Active Duty Troops in Harm’s Way after the Last Security Breach. “VA Secretary Jim Nicholson said the agency was mistaken when it said over the weekend that as many as 50,000 Navy and National Guard personnel — and no other active-duty personnel — were affected by the May 3 burglary. In fact, names, birth dates and Social Security numbers of as many as 1.1 million active-duty personnel from all of the armed forces — or 80% of all active-duty members — are believed to have been included, along with 430,000 members of the National Guard and 645,000 members of the reserves.” [AP, 6/7/06]
The Department of Veterans Affairs Did Not Inform Veterans of Security Breach for Over 2 Weeks in the First Breach. “When the government initially revealed the burglary on May 22, more than two weeks after it happened, it said the stolen data included the names, birthdates and Social Security numbers of up to 26.5 million veterans, and their spouses.” [New York Times, 6/7/06]
Secretary Nicholson Was Unable to Give an Adequate Answer as to Why He Was Not Made Aware of the Theft Sooner.
Senator Collins: And I think you find it to be baffling also, and I understand how frustrated and angry you must be that it took some 13 days before you were notified of such a serious breach. What is your theory on that? How do you think it was possible for there to be such long delays in bringing this incident to your attention? As I said, it wasn’t minor. It didn’t involve just a few records. It’s just so obviously urgent and serious that it’s so hard for me to understand the failure of those in the department to inform you.
Secretary Nicholson: It’s an appropriate question. It’s difficult for me to answer because some of the people, you know, along the line are some of the most competent, dedicated people I’ve ever worked with anywhere. And it’s hard to answer, frankly. So I’m only speculating. We’ve discussed it. They feel terrible. They’ve offered resignations. They were trying to deal with it, you know, themselves and get their arms around it and handle it. It’s not clear. [Senate Committee on Veteran Affairs Testimony], 5/25/06
Secretary Nicholson Was Not Straightforward about the Severity of the Original Security Breach.
- Nicholson Said No Medical Records Have Been Compromised: “‘I want to emphasize there was no medical records of any veteran and no financial information of any veteran that’s been compromised,’ Nicholson said.” [Bradenton Herald, 5/23/06]
- Then Nicholson Admitted Information on Disabilities Was Included in Stolen Data: “Also possibly included were some numerical disability ratings and the diagnostic codes which identify the disabilities being compensated.” [Statement of R. James Nicholson, 5/25/06]