An Alabama Veterans Affairs Department hospital that lost sensitive data on more than 1.5 million people in January repeatedly failed to follow privacy regulations leading up to the incident, according to an internal report.
The employee directly responsible for the data initially lied to investigators and deleted files from his computer in an effort to hide the magnitude of the problem, the VA's inspector general wrote.
The vast majority of the data, including Social Security numbers and private health information, were not protected by passwords or computer encryption. It could be used to commit Medicare billing fraud or identity theft, the report said, and the employee should never have had it in the first place.
The report recommends "administrative action" against several employees, including the staffer, the managers of the program where he worked and the head of the Birmingham VA Medical Center.
The security breach occurred on Jan. 22, when employees discovered an external computer hard drive missing from a satellite office that conducts specialty research on healthcare. Because the employee responsible for the drive initially lied about how much information was on the drive, the VA initially reported publicly that fewer than 50,000 people were affected. Investigators later determined that the drive contained information for more than 250,000 veterans and about 1.3 million healthcare providers across the country.