Déjà vu? The Augusta Chronicle notes how the VA had another data breach when a laptop was stolen. One wonders, how can this be, when the VA has announced that all of their laptops are protected with encryption software?
Shifting Risk: People Becoming the Problem
As it turns out, the missing laptop is a personal computer that belonged to a physician associated with the Charlie Norwood VA Medical Center in Augusta, Georgia. It contained names, the SSN’s last four digits, discharge dates, and medical providers’ names.
At the time, he had a professional need for the information but violated VA policy by putting the information on his personal laptop before it was stolen March 30, said Alicia Miller, the acting public affairs officer.
“He did do due diligence and notify us when the laptop was stolen,” Miller said.
No action will be taken against the physician because he has already left the hospital, Miller said. [augusta.com]
In the future, you can expect more stories like these to appear whenever you see the words “data breach,” “laptop,” and “VA” in a headline. The reason? Because the VA’s biggest data breach threat is now people.
Of course, that’s always been true: after all, laptops, USB disks, and paper documents don’t have feet and go missing by themselves. There’s always someone involved. But, seeing how the VA has deployed encryption on all of its computers (I have no reason to doubt this claim), the loss of department laptops will no longer be the reason for data breaches.
If the loss of a laptop does become the focal point of a data breach, it will be because someone decided to break the rules. Which goes to show that technology alone cannot solve data security problems; one really needs to involve education.