The Veterans Affairs Department has agreed to pay up to $20 million to veterans for exposing them to possible identity theft in 2006 in what remains the mother of all healthcare security breaches, according to the Associated Press and other reports.
According to court filings Tuesday, lawyers for five veterans groups and the VA reached the settlement in a case filed in U.S. District Court in Washington. Judge James Robertson will have to approve the settlement, however, before it is final, the AP reported.
The breach occurred when a laptop computer and external hard drive were stolen in the burglary of the Baltimore home of a VA employee and data analyst. The computer storage devices contained data on a reported 26.5 million veterans, data that included their names, Social Security numbers and dates of birth. The equipment was turned over to the FBI anonymously a month later. Forensic analysts with the FBI determined the database had not been accessed since the laptop was stolen. Five VA officials resigned in the wake of the incident, however.
Thus far, the VA incident remains the largest reported data breach in U.S. healthcare history, which is not entirely surprising because, with 135 hospitals and 731 clinics, the VA is the largest healthcare organization in the U.S. But the VA incident is not the largest data breach in the U.S. and not, by a long shot, the only one in the healthcare industry, according to a 2007 Government Accountability Office report.
The GAO said data breaches across all industries had become “widespread” in recent years, with 570 alone that had been large enough to be reported in the media from 2005 through 2006.
The GAO looked at the 24 largest data breaches reported during the period, noting that the largest involved the credit card records of 45 million customers reported in 2007 by retailer TJX Cos. The GAO also cited an American Hospital Association survey that found 17 breaches had occurred at 13 of the 46 hospitals participating, including three that resulted in fraudulent activity.
According to the AP, the proposed settlement provides that veterans who are able to show they were harmed by the data theft will be eligible for payments of $75 to $1,500. Any remainder in the fund after all settlements are made will be donated to veterans' charities, the AP said.
In an e-mailed statement, a VA spokeswoman said, the "VA is committed to being the 'gold standard' in data security, just as we are a leader in the healthcare industry. We want to assure veterans there is no evidence that the information involved in this incident was used to harm a single veteran."
