VA data breach may have affected more than 4,000 veterans

A Veterans Affairs Department data breach may have put at risk the personal information of more than 4,000 veterans, VA Chief Information Officer Roger Baker said Wednesday.

That is nearly twice the number of potentially affected vets VA said last week were eligible for credit monitoring because of the breach.

The information, including Social Security numbers, was posted on Ancestry.com last March and not discovered by VA until December, eight months later, when the daughter of a living veteran complained that personal information about her parent had been posted on the website, Baker said. The information was immediately taken off the website last month.

As of Wednesday, VA had confirmed that the personal information of at least 2,257 living veterans was mistakenly released to Ancestry.com as part of a response to a Freedom of Information Act request involving 14.7 million veteran records, Baker said. VA is reviewing about 2,000 additional names to determine if the individuals are deceased or living. – Federal Times

Press Release from the Department of Veterans Affairs

VA Providing Credit Monitoring to Misidentified Veterans

WASHINGTON – The Department of Veterans Affairs is offering free credit monitoring to more than 2,200 Veterans whose personal information, including social security numbers, was posted on Ancestry.com following the mistaken release of data through the Freedom of Information Act (FOIA).

“VA places the highest priority upon safeguarding the personal information of our Veterans,” said Jerry L. Davis, VA’s chief information security officer. “When lapses occur, we will immediately take prompt remedial action, such as notification.”

The family history website, which provides access to genealogical and historical information, had requested information from VA about deceased Veterans. Under FOIA, VA is obligated to release requested records upon written request unless they may be withheld. Therefore, VA provided the website with the data on March 18, 2011.

On Dec. 13, 2011, after the information had been posted on the history website, VA learned that it included data about some living Veterans because some of the death reports provided to the website were inaccurate.

“Fortunately, no personal health information was included in this data release,” Davis said. “Ancestry.com has worked with us and immediately removed all the information that we had supplied them.”

There is no indication personally identifiable information of any Veteran has been misused. However, VA is still notifying all potentially affected Veterans so they can be vigilant and take steps to protect against identity theft. VA is also offering credit monitoring for one year at no charge to every Veteran whose name was mistakenly released and posted on the history website.

FOIA requires federal agencies to disclose requested records unless they may be withheld under specific statutory exemptions. Under FOIA, VA was obligated to provide the website with the name, social security number, date of birth, date of death, military branch assignments, and the dates of entry on active duty and release from active duty for deceased Veterans.

VA has launched an effort to determine why information about living Veterans was included in a database about deceased Veterans. The error did not affect the VA benefits of any Veteran. VA is committed to protecting Veterans’ personal information and to improving information processing to avoid erroneous data.

Veterans who believe they may have been affected by this incident who have not been notified by VA may verify whether their information was involved by writing to: Department of Veterans Affairs, OIT Privacy Officer (005R1A), 810 Vermont Ave., NW Washington DC 20420, (Attn: Garnett Best).

Affected Veterans can request a free credit report for one year from one or more of the three national credit bureaus by calling 1-877-322-8228 or by visiting http://www.annualcreditreport.com.

Information about this and other protections, including placing a “fraud alert” on credit accounts, is available by calling the Federal Trade Commission at its toll free number, 1-877-438-4338, or by visiting its website, http://www.ftc.gov/bcp/edu/microsites/idtheft/index.html