WASHINGTON -- In a scathing report yesterday, the inspector general's office in the Department of Veterans Affairs blamed VA officials for acting "with indifference and little sense of urgency" to the May 3 burglary of a laptop containing the Social Security numbers of 26 million veterans.
The report, issued two weeks after the FBI recovered the laptop and determined that its data had not been accessed, criticized the employee who took the computer home, saying he showed "extremely poor judgment" and downplayed the potential risk to veterans.
But the report also flailed VA employees up and down the line, reminiscent of House and Senate reports on the bureaucratic ineptitude of employees at the Federal Emergency Management Agency after Hurricane Katrina.
"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher-level officials of the data loss reacted with indifference and little sense of urgency or responsibility," the report said.
As a result, 12 days after receiving the original incident report, the security officials "had made no meaningful progress in assessing the magnitude of the event and, ironically, had passed responsibility to gather information on the incident back" for review as a possible privacy issue.
VA Secretary Jim Nicholson, who told Congress he was "mad as hell" about his department's handling of the incident, did not learn of the theft until 13 days after it occurred. "The delay in notifying the secretary was spent waiting for legal advice [and] can be attributed to a lack of urgency on the part of those requesting this advice," the report said.
After the burglary, the unnamed employee "was so flustered he decided not to discuss the matter," according to the information security officer who interviewed him and who suggested he write down what data were lost.
"The employee's written account of the lost data was essentially an identification of database extracts with little quantified information concerning the significance or magnitude of the incident," said the report.
As the employee's report of the theft traveled up the hierarchy, a series of bureaucratic tangles further thwarted its path. Deputy Assistant Michael McLendon, on learning of the theft two days after it occurred, decided to rewrite the report "because it was inadequate and did not appropriately address the event." McLendon submitted his report May 8.
"Our review of Mr. McLendon's revisions determined that his changes were an attempt to mitigate the risk of misuse of the stolen data," said the report. "He focused on adding information that most of the critical data was stored in files protected by a statistical software program, making it difficult to access."
But that assertion was false, the inspector general's report said, "because we were able to display and print portions of the formatted data without using the software program."
McLendon's supervisor, Dennis Duffy, acting assistant secretary for policy, planning and preparedness, sent the report to VA Chief of Staff Thomas Bowman on May 10 without determining "the magnitude of the stolen data" or even talking to the employee. In retrospect, he said, his greatest regret is that he "failed to recognize the magnitude of the whole thing."
Johanna Neuman writes for the Los Angeles Times.