The Department of Veterans Affairs began on-site inspections of its contractors' security procedures this week following two recent data breaches that put at risk the financial identities of 4,000 veterans, Roger Baker, VA's CIO, said May 27 at a media briefing.

The audits are part of series of measures the VA is taking in the aftermath of two April data breaches affecting veterans' personal identification information. In the most recent incident, Baker said, a paper binder used as a log for tracking patient lab tests was taken from a locked office at the VA's North Texas Health Care System in Dallas.
 
The incident followed closely the loss of a laptop containing information on about 600 veterans that was owned by a VA contractor. Both incidents were reported to the House Veterans' Affairs subcommittee on oversight.

In response to the incidents, the VA has sent letters to about 4,000 veterans informing them that their personal identification information had been compromised and offering them a year of identity theft protection, Baker said.

The department has also informed contractors that if they possess laptops containing veterans' personal information, the information must be encrypted, he added.

The department routinely notifies Congress whenever it believes the security of health information it controls is at risk, said Baker, who also announced he would start to hold regular monthly press briefings in an effort to make his office's practices more transparent to the public.

Noting that the VA had thousands of vendors and was the largest healthcare organization in the world, Baker said the department, "sees a wide variety of incidents every month," the vast majority of which are not significant enough to report.

"It's a large organization and there's still a lot we need to do to have great information security," he said, describing the security challenge as a "balancing act" between the need to serve veterans and ensuring their information is protected.