Several veterans' groups announced Tuesday that they have filed a lawsuit against the VA for failing to protect their personalinformation.
In its efforts to better learn just what information was contained in a duplicate database stolen from the VA employee last month, the VA said it had hired its own independent forensic experts to analyze the original data, Secretary of Veterans Affairs R. James Nicholson said in the statement.
The VA said it has not received any reports that the stolen data has been used for fraudulent purposes.
As for the active-duty personnel whose personal information may have been breached, the VA said that group includes up to 20,000 National Guard and Reserve personnel who were on at least their second federalized active duty call-up as well as 30,000 U.S. Navy personnel. That group could include members of the U.S. Navy who remain on active duty and completed their first enlistment term prior to 1991, the VA said.
"This happened because these individuals were issued a "DD-214" - or a separation from active service notification - by the Department of Defense (DOD) upon completion of their first enlistments," according to the statement. "This triggered an automatic notification to VA that these individuals were no longer on active duty. Subsequent to VA receiving the initial DD-214, these individuals re-enlisted for another term of active duty, meaning their information could still be in VA's data files."
The VA said it is working with the DOD to match data and verify those potentially affected. The VA is sending letters to those whose personal information may have been stolen, and said it has no evidence that other full-time, active duty personnel from the other military branches are affected.
In the wake of the data theft, the Vietnam Veterans of America (VVA) has joined four other national organizations and several individual veterans in a class-action lawsuit seeking judicial oversight and protection of the VA computer files.
"It is appalling to all veterans that their personal information -- information that is supposed to be held in confidence -- is potentially in the hands of individuals who can wreak identity-theft havoc," John Rowan, national president of VVA and a plaintiff in the lawsuit, said in the statement. "VA Secretary Nicholson has said he is 'mad as hell' over this incident and the breakdown in command and control of his department, and we believe him.
"However, he has yet to answer some critical questions: What was an employee of the VA doing with the names, Social Security numbers and dates of birth of all these veterans, the vast majority of whom have never availed themselves of VA services? Why is the VA collecting this information in the first place?"
The lawsuit was filed in U.S. District Court for the District of Columbia Tuesday by attorney Douglas Rosinski, of the law firm Ogletree, Deakins, Nash, Smoak & Stewart P.C. The other organizations who have joined the suit are the National Gulf War Resource Center, Radiated Veterans of America, Citizen Soldier and Veterans for Peace.
"Saying 'We're sorry' is hardly comforting to veterans and their families," said Rowan in the statement. "The VA has been criticized for years about lax information security and that includes criticism from the VA's own Inspector General. The VA still hasn't properly secured all the personal information under its control. We've just seen the largest known unauthorized disclosure of Social Security numbers in history. We hope this lawsuit will help Secretary Nicholson correct the known vulnerabilities in how the VA protects private information. If the VA can't solve the problem, maybe the courts can help."
The lawsuit seeks:
- A declaratory judgment that the VA's loss of these records violated and continues to violate both the Privacy and Administrative Procedure Acts.
- A court order that the VA disclose the exact nature of its compromised records system and to individually inform each veteran of every record it maintains on him or her.
- An injunction preventing the VA from altering any data storage system and prohibiting any further use of the data until a court-appointed panel of experts determines how best to implement safeguards to prevent any further breaches.
- A judgment awarding $1,000 to each veteran who can show that he or she has been harmed by the VA's violation of the Privacy Act.
The VA said it does not comment on specific litigation.
"VA continues to conduct a complete and thorough investigation into this incident, and has hired independent data forensic experts to better determine what information may be involved," VA spokesman Matt Burns said in a statement e-mailed to Computerworld. "VA is providing additional details about the nature of the data as new information is learned. VA is also taking aggressive steps to improve its policies and procedures regarding the handling of sensitive data, and the Department continues to notify individuals whose personal information may have been involved. Additionally, VA is in ongoing discussions with several entities regarding credit-monitoring services to determine how veterans and others potentially affected can best be served...."