INDIANAPOLIS (WISH) – A Department of Veterans Affairs’ employee took documents containing personal information of four veterans outside the Cleveland Federal Building last fall where they were left unattended for two to three days before being found by another employee, a VA security official tells I-Team 8.
The documents, which contained personal information of one Indiana veteran and three others, were left in a park courtyard area just outside the Cleveland Federal Building. The identities of the other three veterans is unclear. One of them is Bob Ildefonzo, a Peru, Indiana man who notified I-Team 8 about the incident.
In an interview last month, Ildefonzo said he was expecting to hear about his medical claims appeal. Instead, he got a letter in the mail telling him that his identity might have compromised and offering him free credit monitoring.
“Somebody could have taken it or they could have taken pictures of everything. I feel very violated,” Ildefonzo said last month.
The employee who committed the error was “re-trained,” according to Stan Lowe, the deputy assistant in the VA’s Office of Information Security. What’s not clear is that employee’s identity or if that person faced any other discipline. Lowe refused to say in an interview with I-Team 8.
In his first interview since I-Team 8 broke the story last month, Lowe did admit it was a mistake.
“Frankly how long the information was out there is immaterial, whether it be for a minute, an hour, a second, the mere fact that it was left unattended is enough for us to take action. We take veteran information seriously and the mere possibility it could have been compromised is enough for us to take action,” Lowe said.
When pressed about why an employee would take personal information outside, Lowe said: “That’s an awesome question. It’s completely against policy.”
The identity breach is one of thousands that have occurred at VA facilities across the country in the last year, according to an I-Team 8 investigation. VA records show the agency sent out more than 8,100 credit protection letters, according to the last quarter’s notification list provided to Congress.
As Lowe noted, the VA is required by law to provide Congress with quarterly reports about identity or data breaches. But in an effort to be “more transparent,” Lowe says the VA provides Congress with monthly reports.
An I-Team 8 review of the last three months shows there was no mention of the incident in Cleveland.
When pressed about this, VA spokeswoman Genevieve Billia said: “VA takes its obligation to protect Veteran information very seriously. The monthly report is VA’s effort to be transparent about how it sometimes falls short in meeting that obligation. As the report shows, the vast majority of data breaches occur as a result of mishandling paper, such as the incident from Cleveland. Because of the number of small paper breaches that occur, each month’s report includes details on only a sampling of mishandled paper incidents. The incident from Cleveland would have been included in the line referencing other mishandlings that occurred that month.”
Lowe said these types of incidents are “happening more than we would like.” In an effort to combat human error, he said they’ve reminded employees of the importance of keeping veterans’ information secure while at the same time started to switch to more electronic rather than paper records.
If you are a veteran concerned about your identity, the VA has provided this website.
To examine the records the VA sends to Congress, click here.