Early on, few attempts were made to understand the magnitude and significance of the stolen data. In fact, Michael McLendon, the VA's deputy assistant secretary for policy, attempted to downplay the risk of the data being misused by suggesting that it had been protected via a "statistical software program."

That claim was later proved to be inaccurate, the report said. A "very strained" personal relationship between McLendon and Dennis Duffy, the acting assistant secretary for policy, planning and preparedness, also affected how the incident was handled and the manner in which it was communicated to higher-ups. As a result, Nicholson wasn't even told of the breach until May 16.

The initial incident report from the information security office at the office of policy, planning and preparedness had "significant errors and omissions," the OIG report said. But no attempts were made by the district information security officer and the office of information technology to get clarifications from the employee from whom the data was stolen.

"At nearly every step, VA information security officials with responsibility for receiving, investigating or notifying higher-level officials of the data loss reacted with indifference and little sense of urgency or responsibility," the report said.

The VA also lacked policies for safeguarding sensitive information used by its employees and contractors. and little supervisory oversight over how data was being accessed and used. John Pescatore, an analyst at Stamford, Conn.-based Gartner Inc., said the findings aren't surprising.