A few days later, the VA decided that the 50,000 number was just a tad low. The new estimate: 2.2 million active-duty U.S. military people, including National Guard members and reservists.
Also last week, veterans groups filed a lawsuit asking for nearly US$30 billion for those whose personal data was exposed.
That's a big pile of money, even by Washington standards -- though it still comes to only $1,000 per person affected.
Meanwhile, more details of IT problems at the VA keep dribbling out. How did the active-duty personnel's names, dates of birth and Social Security numbers get mixed in with those of veterans? The first answer from the VA was that a fouled-up paperwork process classified some military personnel as veterans even though they had re-enlisted.
But last week, the agency said it routinely receives records for all active-duty personnel because they're eligible for benefits.
Another data point: Some news reports last week said the VA is now trying to inventory and locate all its laptops.
So let's connect the dots:
The VA doesn't know how many laptops it has or where they are.
The VA doesn't know what's on those laptops.
The VA didn't know until last week who it keeps data on, or why.
The VA's data security processes are hopeless failures.
The VA's business processes are an incoherent mess.
Yes, this is an IT problem and a security problem. But it doesn't end there. Despite the dramatic IT-driven improvements at the VA's hospitals, this is a government agency that literally doesn't know what it's doing.
Outrage on behalf of veterans and active-duty military personnel is easy -- and it's appropriate.
But this is just the tip of the iceberg. We all know that -- anyone working in government or corporate IT.
Too many of our business processes are just as messy as the VA's. For years, we've collected data via the Web or by using customer relationship management systems, much of it data that we don't need, don't keep proper track of and haven't properly secured.
We let it be carried out the door every night in laptops, shipped cross-country in backup tapes and equipment, accessed over the Internet from employees' home computers. And in most cases, it's unencrypted, untracked and unsecured.
As we watch the VA's fiasco continue to unfold, we're in no position to feel superior or complacent. That could be us.
But we are in a position to see our own future. One image comes from that multibillion-dollar, class-action lawsuit on behalf of those whose personal data the VA exposed. If that lawsuit holds up in court, we're looking at potentially huge financial liability for every future data loss.
Another image comes with word last week that the American Institute of Certified Public Accountants lost personal information on its 330,000 members -- including names, addresses and Social Security numbers -- when a hard drive disappeared in transit.
That's right: Hundreds of thousands of CPAs suddenly have a very personal interest in how closely personal information is secured and how easily it can go astray.
In fact, the AICPA announced that it will no longer collect Social Security numbers and is "accelerating our efforts to develop other means of uniquely identifying our members."
That's our future, too: one where we'll have to keep a tight rein on Social Security numbers -- or get rid of them entirely.
And the sooner we get a handle on those numbers, the better off we'll be.
Frank Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.