"Decades and decades of neglect and a fierce resistance to centralized authority are the root causes for this," he said. Nowhere in the report is that issue addressed, Brody said.

The OIG's 78-page report cites lapses up and down the chain of command at the VA and offers recommendations for addressing them. For instance, the data analyst from whose house the equipment was stolen was authorized to access and use VA databases.

But much of the information he had stored on the stolen hard drive was being used for a self-initiated "fascination project" being done on his own time since 2003, without the knowledge of his supervisors, according to the report.

"The loss of VA data was possible because the employee used extremely poor judgment when he decided to take personal information pertaining to millions of veterans out of the office and store it in his house, without encrypting or password-protecting the data," the report said.

The OIG's investigation also found the agency's response to the incident to be deeply flawed.