• United States



by Dave Gradijan

Unisys Contractor Arrested in VA Theft

Sep 18, 20063 mins
CSO and CISOData and Information Security

Authorities have charged a 21-year-old Unisys subcontractor with stealing a desktop computer with billing information on as many as 38,000 U.S. Department of Veterans Affairs (VA) medical patients.

Khalil Abdulla-Raheem of Washington, D.C., was charged Wednesday with theft of government property. He is an employee of a company that “provides temporary labor to Unisys,” according to a statement released by the VA’s inspector general’s office.

The computer was stolen in late July from Unisys’ Reston, Va., offices. It contained records on about 16,000 living patients who had received treatment at VA medical centers in Philadelphia and Pittsburgh, as well as information on another 2,000 who are deceased. Data on an additional 20,000 patients may have been stored on the computer, according to the VA.

The VA said these records may have contained Social Security numbers, addresses and insurance information. The U.S. FBI is now analyzing the computer to determine whether this information has been compromised, but investigators do not believe that Abdulla-Raheem was after the VA data.

This is the second of two major data breaches at the VA this year. In May, personal information on about 26.5 million veterans was compromised when a laptop and external hard drive were stolen from a VA analyst’s home. Authorities have arrested two teenagers in connection with that theft, and the FBI has concluded that the sensitive information was untouched.

Still, the data in question was unencrypted in both of these incidents, and the VA, which has regularly scored failing grades in the federal government’s annual computer security scorecard, has been blasted for its handling of the matter.

The department’s inspector general published a report in July citing policy failures and a lack of supervision in the May incident, and called for the VA to adopt a clear policy for safeguarding sensitive data.

With data notification laws pushing data breaches into the public eye, PC encryption has become a priority for many IT departments.

In fact, laptop encryption will top a list of the 10 most important security trends for 2007, due to be released on Oct. 1 by the SANS Institute, a computer security training organization.

“Every major organization is moving forward to buy and deploy encryption products,” said SANS Director of Research Alan Paller, in an e-mail sent Thursday. “The reason is that top management is adamant about not facing personal embarrassment because of lost sensitive data.”

Abdulla-Raheem was released on bail Wednesday and is due back in federal court for a preliminary hearing on Oct. 3.

Unisys has offered a $50,000 reward for information leading to the recovery of the PC. So far, nobody has come forward to claim the money, according to Lisa Meyer, a Unisys spokeswoman.

Unisys had not encrypted the data on the stolen PC because this was not required by the VA, but the company is now taking a second look at this policy, Meyer said. “An event like this caused us to re-examine everything we’re doing,” she said.

By Robert McMillan, IDG News Service (San Francisco Bureau)

Related Link:

Data Theft at the VA

Keep checking in at our Security Feed for updated news coverage.