You fucking dimwits.

[Diane]

Chefguy:

But then they’re probably not the people who risk losing a significant chunk of their money and having their credit ratings destroyed.

Uh no, they probably are the people who are at risk. I can’t say for sure about the employee who took the information home, but a huge population of VA workers are veterans themselves.

As someone who is witnessing the effect this has had on some of our older, mentally challenged, or poverty level veterans, my heart goes out to them. They are stressed to the breaking limit and we are working hours and hours of overtime just to man all the telephone calls coming in from worried veterans.

Still, there is something that I don’t quite understand. The media has reported inadequacies in information security. I have authorized access to the same information that was stolen. I can assure you that the security measures are quite tight. In order to access this information, I have to utilize a password to log onto my computer system, another password to open the program that holds this information, and a third password to access veteran information. Three different passwords to get to the info. The program times out within minutes if you are not actively using it. Our computer password (yet another password) protected screen savers pop on within minutes if there is inactivity. We are required to lock our computers whenever we leave our desks - and our offices are in a keycarded locked area for employees only.

On top of that, we are required to change our passwords every 4 weeks. Before we are granted access to these records, we must be trained on security privacy issues with mandatory refresher training every year. We have periodic, unannounced inspections to make sure we are compliant.

The physical files are held in locked cabinets behind key access doors that only authorized personnel can enter. We must check files out under our name and list the purpose. We have barcodes to track every move a file makes. It is a severe violation to have a file that is not barcoded to your area.

My question to you guys, is what more could VA have done to protect this information? Strip search every employee as they leave work to make sure they aren’t sneaking work home with them? What security measures can the agency do, that they aren’t doing now to prevent someone from doing this?

Again, not defending the stupidity of the employee who took this work home, but please tell me how it could have been prevented with the security measures already in place?

[Monty]

What more? Well, it would’ve been nice if everyone at VA actually followed the protocols you mention, Diane. Of course, I’m glad that someone is and it’s great that where you work, the right things are done.

But, sadly, according to this article in the Stars & Stripes,

“We know virtually nothing about who has access to that information,” he told the members of Congress, noting that many VA employees telecommute and routinely use unsecured computers.

Another thing that would’ve been nice is to have let the dude in charge know a tad sooner than twelve days after the event.

On who should fall on his sword in this case, I find myself agreeing with Bob Filner’s advice to Nicholson:

{from the same article linked above}
“The most dramatic way you could actually take responsibility for this management debacle would be for you to resign now,” said Rep. Bob Filner, D-Calif.

[Diane]

Monty:

What more? Well, it would’ve been nice if everyone at VA actually followed the protocols you mention, Diane. Of course, I’m glad that someone is and it’s great that where you work, the right things are done.

But, sadly, according to this article in the Stars & Stripes,
Another thing that would’ve been nice is to have let the dude in charge know a tad sooner than twelve days after the event.

On who should fall on his sword in this case, I find myself agreeing with Bob Filner’s advice to Nicholson:

I totally agree with you. Someone’s head needs to roll, beginning with the employee (although I am not totally convinced he DIDN’T have permission to take work home with him). What I am having a problem with, is this supposedly lack of record security.

The program I mentioned is not a local data base, it is a VA wide program that has the same password requirements throughout the agency - three passwords to even access records. The requirements to have password protected screensavers, yearly training, and secured file bank, is also VA wide. I assume that most, if not all offices are compliant considering the fact that site inspections are made, and having lived through a couple, I have seen how stringent and serious the inspectors are.

As for the article, I assume that the VA officials are aware of who has access to these records because am employee has to get access clearance from IT, which is then entered into the system by employee number, which cross references to the employees personal information. Every time I access these records, it puts my employee number into the system and leaves an elecronic trail of what I have done. Again, this is a VA-wide system, not a local data base. Every employee who has access is required to be trained (with refresher training) in security and privacy issues.

As for other information security issues, obviously there are problems, otherwise there would not be this huge, HUGE mess. But again, and I am not being argumentive or defensive, with the electronic security measures and the regulations to store physical files, what would have prevented this short of strip searching every employee before they left for home?

[Monty]

Oh, I know you’re not being argumentative or defensive. You’re pointing out not only the way things are supposed to work but also how they do work in your corner of the VA. Sadly, all it takes is someone who knows how to copy a file into another database and blooie the protocols are all meaningless.

If the employee didn’t have written permission to take the stuff off-site, he’s out of luck. If he did have written permission, the idiot who signed that slip is out of luck. At any rate, as the article I linked above mentions:

But House Democrats said targeting low-level workers in this case alone won’t solve the VA’s systemic problems. They pointed to years of federal reports and reprimands for the VA over the issue of cybersecurity, and accused Nicholson of indifference to the issue even now.

More than just one or two heads need to roll.

[Cerri]

Man…between this and the Fidelity laptop stolen in March that contained almost 200k Hewlett-Packard employees’ financial data, my ex-Navy buddy who works for HP really isn’t having a good year.

[LucyInDisguise]

[Slight hijack …]

As one of the potentially affected Vets – Does anyone know how I find out if MY records were amoung those stolen?

[/hijack]

Lucy

[Q.E.D]

LucyInDisguise:

Does anyone know how I find out if MY records were amoung those stolen?

From the article linked in the OP:

The VA sent a letter to veterans informing them of the stolen data. Anyone with questions can contact the agency at (800) 333-4636 or through the federal government’s Web portal, www.firstgov.gov.

[Diane]

LucyInDisguise:

[Slight hijack …]

As one of the potentially affected Vets – Does anyone know how I find out if MY records were amoung those stolen?

[/hijack]

Lucy

Were you discharged 1975 or later, or have you filed a claim for disability benefits? If so, most likely your records were affected.

I would suggest that you call 1-800-827-1000 and have them enter your information into the system to see if your record pops up. This data base is the same data base that was stolen. If your record pulls up, you were affected.

[LucyInDisguise]

Diane:

Were you discharged 1975 or later, or have you filed a claim for disability benefits? If so, most likely your records were affected.

I would suggest that you call 1-800-827-1000 and have them enter your information into the system to see if your record pops up. This data base is the same data base that was stolen. If your record pulls up, you were affected.

Shit. (Discharged 6/76)

Thank you for your prompt reply. Haven’t found anyone else that could tell me how to find out.

Sincerely appreciative.
Lucy

[Smart Assed Rhetorical Post Script]

Any more at the VA like you??

[/SARPS]

[Diane]

LucyInDisguise:

Shit. (Discharged 6/76)

Thank you for your prompt reply. Haven’t found anyone else that could tell me how to find out.

Sincerely appreciative.
Lucy

[Smart Assed Rhetorical Post Script]

Any more at the VA like you??

[/SARPS]

No problem at all.

Sounds like you were affected (6/76) but I would still call VA and have them verify for you. I would like to be able to assure you that things will be fine, but I really don’t know. I will tell you what I tell the vets I talk to at work - Keep an eye on your credit report. You should also alert your bank and the credit bureau that you are part of the VA records that were stolen and have them watch your accounts. Not a great answer I know, but without knowing where those records are and what, if anything, is being done with them, it is the best answer for now. Hopefully the higher ups in Washington will get a better plan in place.

As for the smart assed rhetorical post - - in all seriousness, most VA employees really do care for the veterans. We see the effects of battle that most people never will, which gives us a very sincere and deep appreciated for all veterans and what they sacrifice.

[Cartooniverse]

OtakuLoki:

. Okay, AIUI, there are three credit reporting companies/bureaus and getting a credit report is a nominal $15 fee per company. So, that’s $45 per veteran… times 26 million vets affected…

Which does make an excellent argument that this man was paid a fucking fortune by one or more of the three major credit bureaus to do what he did.

How do you increase profits? What was the math? 45.00 x 26,000,000 ? That's 1, 170,000,000.

Pretty good reason to commit a felony in some folks’ minds.

Cartooniverse

[LucyInDisguise]

Diane:

<snip>… in all seriousness, most VA employees really do care for the veterans. We see the effects of battle that most people never will, which gives us a very sincere and deep appreciated for all veterans and what they sacrifice.

“(I)n all seriousness” … Thank* You*. It was my (our) pleasure to serve.

Lucy

[Diane]

Lucy, if VA verifies that your records were part of the theft, here is a checklist from MSNBC.COM that includes some good information -

http://www.msnbc.msn.com/id/12940308/

Cartooniverse:

Which does make an excellent argument that this man was paid a fucking fortune by one or more of the three major credit bureaus to do what he did.

How do you increase profits? What was the math? 45.00 x 26,000,000 ? That's 1, 170,000,000.

Pretty good reason to commit a felony in some folks’ minds.

Cartooniverse

That doesn’t make any sense considering (from the link above) -

*4. Regularly check your credit report.
Every American is entitled to one free copy of their credit report every year at AnnualCreditReport.com. That’s three peeks altogether, since you can get one copy each from all three bureaus. So one great strategy is to spread those three out every four months. Since the reports largely overlap, that’s a great way to see if there’s any new accounts on there that don’t belong.

Four months is still a little too infrequent if you think your personal information has been stolen. But there are other ways to get a free credit report to augment this protection. Many state legislatures give their residents a separate right to see their credit report, and you can get another three free credit reports that way. The procedure varies from state to state, but it usually involves a simple letter. Now you’re up to 6 reports each year.*

[gonzomax]

Added bonus. When the senate pasesd the bankrupcy bill it voted down provisions brought up by the dems. For special conditions-senior citizens-Victims of catastrophic illness-and of course victims of identity theft. The finance companies that wrote the bill were taking no exceptions. They even kicked back a rider to hold interest rates under 30%.So dont look for help from them.

[Chefguy]

Diane: Thanks for the additional information. I’ve been on vacation for a week and just logged back in.

[Diane]

Q.E.D.:

From the article linked in the OP:

The number Q.E.D. posted is a call center set up to handle the vast amount of calls regarding the theft (we still had to man the calls coming into our regular 1-800 number). It is a good number to call for basic information, however, I am not sure if they have the ability to tell a veteran whether or not their information is in the VA database. If not, a VA counselor at 1-800-827-1000 will be able to tell you for certain.

Chefguy - You’re welcome and welcome back.

[Sean_Factotum]

Diane you did say that this information was available throughout the entire VA system, right? If that’'s the case, and some of the VA workers telecomute, what possible reason could someone have for taking this information home? And I’m assuming it was on a disk or harddrive - 26 million files as big as my record aren’t going to fit into a box one person can carry out of the building.

[MsRobyn]

Sean Factotum:

Diane you did say that this information was available throughout the entire VA system, right? If that’'s the case, and some of the VA workers telecomute, what possible reason could someone have for taking this information home? And I’m assuming it was on a disk or harddrive - 26 million files as big as my record aren’t going to fit into a box one person can carry out of the building.

Not all records are that big. I called Diane’s number this afternoon and was told that all I had in their database was my name, DOB and SSN. I now have a call in to my credit union and need to talk to the credit bureaus.

Thanks bunches for the help, Diane!

Robin

[Diane]

Sean Factotum:

Diane you did say that this information was available throughout the entire VA system, right? If that’'s the case, and some of the VA workers telecomute, what possible reason could someone have for taking this information home? And I’m assuming it was on a disk or harddrive - 26 million files as big as my record aren’t going to fit into a box one person can carry out of the building.

It may help understand what was stolen if I explain the VA disability claim process and veteran records.

When a veteran files a claim for disability, a physical claims folder is created. Included in this file is his DD-214, original service medical records, and any supporting documentation such as civilian and VA Medical Center treatment records. Eventually, VA is supposed to go paperless and all of these records will be kept electronicall. I’m not holding my breath though, they started telling us this way back in the early 1990’s.

These records are stored in VA Regional Offices across the country in secured, employee access only file banks. These folders must be checked out and wanded (barcode tracking) to our desks so they are accounted for every minute of the day and every move they make.

Coupled with the physical folder is a VERY limited electronic record. The electronic record holds service verification to include SSN, branch of military, date of birth, service dates, rank, type of discharge, and date of death if the veteran is deceased.

Once a decision on a disability claim is completed, an additional electronic record is created. This record shows a denial of benefits or if granted, the percentage of disability awarded, type of disabilities, the amount received each month, and any dependents. Other than a code that tells us what the disability is (i.e. 6100 = hearing loss), no actual medical records are kept in the computer base. If you were discharged after 1975 but never filed a claim, you obviously won’t have an electronic file with this additional information.

Prior to 1975, the VA did not have electronic records for veterans unless they filed a claim for disability. Beginning in 1975 the military was given the ability to enter service information (SSN, branch, etc.) into the VA computer system directly. Having military service readily available and verified literally saved months in the claims processing period because the veteran and VA no longer had the need to go out and obtain military service verification. This also works well for those veterans who never use VA benefits but may one day need service dates (or whatever) when applying for Social Security or other programs yet have lost their discharge papers.

So . . . .

The information that was stolen was the database for the electronic records and not the physical folder. We are only talking name, SSN, date of birth, service dates, type of discharge, and percentage, amount, and type of disability if receiving benefits. Unfortunately, prime infor for identity theives. As I undertand it, the data base was on a couple of disks or jump drives. It would be very easy to fit 26 million records on the disks because, while it is very important information, it is also very small. Put together in raw data format, we are talking maybe 2 -3 lines of text per vet.

I don’t know why the guy took the records home. It may be that he took home his laptop and recklessly included these disks. I really don’t know.

MsRobyn - You’re welcome.

[PetW]

I have a question that’s only semi-related. Isn’t it 15 points off your beacon score anytime anyone runs a credit report on you? By “free credit report” does it mean that it doesn’t cost any money, and there’s no beacon score penalty, or will running a credit check still harm your overall credit rating?