Apparently, the Veterans Administration doesn't get it. In May, the VA reported that a laptop, containing personal information on 26.5 million individuals was stolen from a VA employee's home. That laptop has since been recovered and the thieves arrested.
But now desktop computer, containing personal information on an estimated 36,000 individuals, is missing from a VA subcontractor, Unisys. Unisys notified VA last week.
According to Computerworld
, "the desktop computer may have contained patients' names, addresses, Social Security numbers, dates of birth, insurance carriers and billing information, dates of military service, as well as claims data that may include some medical information."
After the May incident involving the stolen laptop, VA officials testified before Congress several times concerning plans to revamp security as part of an agency-wide reorganization of its distributed IT environment. But apparently, VA is not moving fast enough.
I'm not privvy to what work Unisys was doing with the personal data, but it is hard to believe there was no way that some of that data couldn't have been de-personalized. For example, did Unisys really need to have the actual social security numbers of those individuals?
One solution: the VA needs a sensible data classification policy
, or if it does have one, it needs to be enforced.Related postsWal-Mart launches RFID pilot, but will privacy concerns stall adoption?IT decisions that are too important to leave to the IT department