Northland Vietnam Veterans Association logo

Northland Vietnam Veterans Association

"Dignity Thru Unity"

Latest Information on Veterans Affairs Data Security

VA News
Sample Letter

Latest Information on Veterans Affairs Data Security

The information on this page has been obtained from http://www.firstgov.gov/veteransinfo and is being posted by NVVA secondhand. NVVA will attempt to post the most up-to-date information regarding this issue as well as dates that the information was published by its original source. In this case http://www.firstgov.gov/veteransinfo.

Page last updated August 8, 2006

NEW: Subcontractor Notifies VA of Missing Computer with Vet Files

On August 7, 2006, the Department of Veterans Affairs (VA) announced that a subcontractor, hired to assist in insurance collections for VA's medical centers in Pittsburgh and Philadelphia, informed VA that a desktop computer containing personal information on some veterans is missing from the company's offices.

Here are some questions you may have about the May 2006 Veterans Affairs data security incident, and their answers.

Frequently Asked Questions

What Happened and How Does this Affect Me?

What happened?

In May 2006, VA learned that an employee, a data analyst, took home electronic data from VA that was stored in his home on a laptop computer and external hard drive. He was not authorized to take this data home. This behavior was in violation of VA policies.

The employee's home was burglarized and the computer equipment, along with various other items, was stolen. The electronic data stored on this computer included identifying information for millions of veterans. Authorities believe the computer equipment, rather than any data on it, was the target of the theft. The stolen equipment has been recovered and the Federal Bureau of Investigation (FBI) has determined with a high degree of confidence that information stored on the stolen laptop and external drive was not accessed or compromised.

What do you know about the stolen equipment?

On June 6, 2006, detectives released a model number for the stolen laptop. It is a Hewlett Packard (HP) Pavilion Notebook Laptop. It could be identified as either model number zv5360us or 5300 series. The external hard drive is a HP External Personal Media Drive. Investigators believe that it is possible these items could have been separated. Anyone who purchased a second-hand or used laptop and/or external hard drive with these model numbers after May 3, 2006, is asked to call either the FBI tip line or the Crime Solver line.

The emphasis of the investigation is on the recovery of the items stolen in a residential burglary that occurred on May 3, 2006, in the Aspen Hill area of Montgomery County, Maryland. Anyone who is in possession of this stolen property can turn it in anonymously and become eligible for the reward. Call the FBI Tip Line at 1-800-CALL-FBI.

Print out Reward Flyer to help the FBI locate this computer and data.

What action has been taken against this employee or his supervisor?

The employee is cooperating fully with the investigation. The employee was initially placed on administrative leave, and VA is implementing procedures necessary to dismiss the employee. Also, the official responsible for the organization in which this employee served has resigned his position because of the events.

What information was included?

The data lost is primarily limited to an individual's name, date of birth, and social security number. In some cases, spousal information may have been included. However, this information alone may be useful to identity thieves, and we recommend that all veterans, servicemembers, and reservists be extra vigilant in monitoring for signs of potential identity theft or misuse of this information. Importantly, the affected data did not include any of VA's electronic health records or any financial information.

See June 6, 2006, News Release on New Information Involved in Data Loss

The letter from VA says that the information stolen included disability ratings. What information does that included?

The information stolen did not include information from any medical information about any veteran, servicemember, or reservist, nor did it include VA's electronic health records. For some veterans who have applied for VA disability compensation benefits and have been determined by VA to have a disability related to their military service, the data may have included the number of service-connected disabilities a veteran has and the veteran's overall disability percentage rating. No other information related to any veteran's disability rating was included.

How do I know if information about me was stolen?

At this point, we do not have information available to confirm the specific individuals whose personal information may have been included in this data loss. VA just recently identified through a data match with the Department of Defense (DoD) that information on approximately 2.2 million servicemembers and reservists was also included on the lost data file. The investigation is ongoing.

Letters were released to the affected individuals beginning on June 3. Because of the number of affected individuals, the letters were released over a period of about two weeks. Those who have been affected should have received a letter by June 15. This timeframe may have varied by a few days based on postal service schedules for mail delivery.

Does this only affect veterans discharged after 1975?

This data loss potentially affected all veterans who have ever filed a claim for VA disability compensation, pension, or education benefits, or who have (or had) a VA insurance policy – no matter when the claim was filed or when they were discharged. These veterans would be included even if their claim was denied or they are not currently receiving benefits.

VA automated its records systems about 1975 and began regular input of information received from DoD on all separating veterans. When VA automated its records systems, VA also input data from all historical claimant records that had been manually maintained by the agency.

We urge all veterans to be extra vigilant and monitor their financial accounts.

Were active-duty and National Guard/Reserve members included?

Working with the DoD, VA has determined that the data stolen on 26.5 million individuals included information on active-duty military personnel. Initially, it was thought that approximately 50,000 active duty, National Guard, and Reserve personnel might have been involved.

However, as the two agencies compared electronic files, VA and DoD learned that personal information on as many as 1.1 million military members on active duty, 430,000 members of the National Guard, and 645,000 members of the Reserves may have been included in the data theft.

VA receives records for every new accession and military enlistee because active-duty personnel and National Guard and Reservists are eligible to receive certain VA benefits, such as GI Bill educational assistance and the home loan guaranty benefit.

We have heard that the stolen computer equipment contained records on 26.5 million veterans. Are the 2.2 million active-duty and guard/reserve members' records in addition to that number?

No, the active duty and guard/reserve individuals are part of the 26.5 million. Through continuing efforts to identify, to every extent possible, what information was included in the data on the stolen computer, VA has determined that active-duty and guard/reserve members were included.

I have never applied for benefits from VA. Do I need to be concerned?

The electronic data on the stolen computer equipment included information from many veterans, servicemembers, and reservists who have never filed for VA benefits or contacted VA. Since the 1970s, VA has received information from DoD on all who served. If you are a veteran, you are encouraged to take steps to protect yourself against identity theft, whether or not you have ever applied for VA benefits. VA is taking steps to notify affected individuals by letter. These letters should have been received by June 15, allowing a few additional days for delivery by the postal service.

I am the spouse, widow, or child of a veteran. Was my information included?

It is unclear whether any spousal or dependents' information has been compromised. However, if this did occur, it appears it would be a very small number of people.

Will I still get my monthly benefit payment?

Yes. There will be no impact on benefit payments.

Have any lawsuits been filed against VA because of the data loss?

Yes. Several lawsuits have been filed against VA pertaining to the data theft. All of these lawsuits have been filed as class actions. VA is currently aware of the following suits filed in U.S. district courts:

Back to Top

Recovery of Stolen Laptop?

I heard news reports the computer laptop and hard drive stolen from a VA employees home was recovered by law enforcement. Is this true?

Yes. On Thursday, June 29, 2006, Veterans Affairs Secretary R. James Nicholson announced that law enforcement authorities have recovered the laptop and external hard drive stolen in early-May from a VA employee's home.

Do authorities believe the information was copied or accessed while it was missing?

The stolen equipment has been recovered and the Federal Bureau of Investigation (FBI) has determined with a high degree of confidence that information stored on the stolen laptop and external drive was not accessed or compromised.

Back to Top

What Should I Do?

What should I do to protect myself? Do I have to close my bank account or cancel my credit cards?

The stolen equipment has been recovered and the Federal Bureau of Investigation (FBI) has determined with a high degree of confidence that information stored on the stolen laptop and external drive was not accessed or compromised. VA plans to hire a company to perform data breach analysis, which will look for patterns of misuse of veterans' data to provide additional assurances that no data has been misused. The Department of Veterans Affairs believes it is good practice for all veterans to be extra vigilant and to carefully monitor bank statements, credit card statements, and any statements relating to recent financial transactions, and to immediately report any suspicious or unusual activity.

For tips on how to guard against misuse of personal information, visit the Federal Trade Commission website at http://www.ftc.gov/.

You do not have to close your bank account or cancel your credit cards. You should, however, take steps to protect yourself against identity theft.

One way to monitor your financial accounts is to review your credit report. By law you are entitled to one free credit report each year. Request a free credit report from one of the three major credit bureaus – Equifax, Experian, TransUnion – at www.AnnualCreditReport.com or by calling 1-877-322-8228.

What do you mean by suspicious activity?

Suspicious activities could include the following:

What is identity theft?

Identity theft occurs when your personal information is stolen and used without your knowledge to commit fraud or other crimes.

I haven't noticed any suspicious activity in my financial statements, but what can I do to protect myself and prevent being victimized by credit card fraud or identity theft?

VA strongly recommends that veterans closely monitor their financial statements and review the guidelines provided on this web page (http://www.firstgov.gov/veteransinfo) or call 1 (800) FED INFO (1-800-333-4636).

Should I reach out to my financial institutions or will the Department of Veterans Affairs do this for me?

VA does not believe that it is necessary to contact financial institutions or cancel credit cards and bank accounts, unless you detect suspicious activity.

What is the earliest date at which suspicious activity might have occurred due to this data breach?

The VA employee's home was burglarized and the computer equipment was stolen on May 3, 2006 and recovered on June 28, 2006. If the data has been misused or otherwise used to commit fraud or identity theft crimes, it is likely that affected groups would have noticed suspicious activity beginning in the month of May.

What should I do if I detect a problem with any of my accounts?

The Federal Trade Commission recommends the following four steps if you detect suspicious activity:

Step 1 – Contact the fraud department of one of the three major credit bureaus:

Step 2 – Close any accounts that have been tampered with or opened fraudulently.

Step 3 – File a police report with your local police or the police in the community where the identity theft took place.

Step 4 – File a complaint with the Federal Trade Commission by using the FTC's Identity Theft Hotline:

Where can I get more information?

Please check this web page (http://www.firstgov.gov/veteransinfo) for further updates or call 1 (800) FED INFO (1-800-333-4636).

What are my remedies if my identity is stolen and used illegally?

The Federal Trade Commission has produced a booklet to help you remedy the effects of an identity theft. It describes what steps to take, your legal rights, how to handle specific problems you may encounter on the way to clearing your name, and what to watch for in the future. The contents of the booklet, Taking Charge: Fighting Back Against Identity Theft, are available online at http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm.

Can Social Security put a flag on my number?

No, unlike the credit bureaus, the Social Security Administration (SSA) cannot put a flag or security alert of any type on your Social Security number.

To report that someone is using your Social Security number, file a complaint with the Federal Trade Commission by using the four steps outlined above:

Can I get a new Social Security number?

SSA will not issue you a new Social Security number as a precaution, if you are concerned or think your number may have been stolen as part of the VA data theft. SSA assigns a new Social Security number in rare cases, and only if the number holder provides evidence that the old number has been used with criminal or harmful intent and that the misuse has caused the number holder to be subjected to recent economic or personal hardship.

The letter from VA warns individuals to guard against "phishing" efforts and telephone solicitations asking for personal information. What does this mean?

"Phishing" is a term that relates to unsolicited messages that individuals receive on their computers. "Phishers" send an e-mail or pop-up message that claims to be from a business or organization that you may deal with - for example, an Internet service provider (ISP), bank, online payment service, or even a government agency. The message may ask you to "update," "validate," or "confirm" your account information. Some "phishing" e-mails threaten a dire consequence if you don't respond.

The messages direct you to a website that looks just like a legitimate organization's site. But it isn't. It's a bogus site whose sole purpose is to trick you into divulging your personal information so the operators can steal your identity and run up bills or commit crimes in your name.

VA also warns individuals to beware of telephone solicitations by people who claim to be from VA or other trustworthy sources asking you to give personal information or to verify or correct personal information. VA, other government agencies, and legitimate organizations will not contact you to ask for or confirm your personal information.

If you receive such communications, report them to VA though this toll free number: 1-800-FED-INFO (1-800-333-4636).

If I need a police report to claim identity theft, where do I get that?

Individuals who are victims of actual identity theft should not have a problem filing a local police report about the incident. The Federal Trade Commission advises consumers who are victims of identity theft to get a copy of the police report or at the very least, the number of the report. It can help you deal with creditors who need proof of the crime. If the police are reluctant to take your report, ask to file a "Miscellaneous Incidents" report, or try another jurisdiction, like your state police.

You also can check with your state Attorney General's office to find out if state law requires the police to take reports for identity theft. Check the Blue Pages of your telephone directory for the phone number or check www.naag.org for a list of state Attorneys General.

Information about steps to take if you are a victim of identity theft is available online at www.consumer.gov or by calling the Federal Trade Commission at 1-877-IDTHEFT (1-877-438-4338).

What do I do if the local police won't take a report?

In order to file a police report, you must show you have suffered an actual identity theft or harm due to fraudulent activity or misuse of account information.

If you have experienced identity theft or harm, the Federal Trade Commission (FTC) suggests providing as much documentation as you can to prove your case, including debt collection reports, credit reports, or other evidence of fraudulent activity.

Information about steps to take if you are a victim of identity theft is available online at www.consumer.gov or by calling the Federal Trade Commission at 1-877-IDTHEFT (1-877-438-4338).

The FTC also suggests being persistent if local authorities tell you that they can't take a report. Stress the importance of a police report; many creditors require one to resolve your dispute.

The FTC advises that if you're told that identity theft is not a crime under your state law, ask to file a Miscellaneous Incident Report instead. If you can't get the local police to take a report, try your county police. If that doesn't work, try your state police. Some states require the police to take reports for identity theft. Check with the office of your State Attorney General www.naag.org to find out if your state has this law.

Can I get a copy of the police report about the stolen computer and veterans' data?

We do not have access to any police reports or any other investigative reports filed as a result of this incident. The investigations by the police, VA's Inspector General, and the FBI are still ongoing.

Back to Top

What Credit Monitoring Will VA Offer?

Will VA offer free credit monitoring?

Given the FBI's high degree of confidence that the information recently recovered was not accessed or compromised, VA believes that individual credit monitoring will no longer be necessary. As Secretary Nicholson has stated, VA remains unwavering in its resolve to become the leader in protecting personal information, training and educating its employees in best practices, and establishing a culture that always puts the safekeeping of veterans’ personal information first.

While the FBI is highly confident this information has not been accessed, what will VA do to help protect veterans?

Protecting veterans' private information remains a priority for VA. Out of an abundance of caution, and to further safeguard individuals' information, VA will work swiftly to provide data breach analysis.

What is data breach analysis?

Data breach analysis looks across multiple industries to detect patterns of misuse related to a specific data loss. While it is considered highly unlikely by the FBI and law enforcement that this data was accessed, data breach analysis will provide additional assurances.

How will VA pay for data breach analysis?

VA has funds in its budget that can be used for this purpose, and there will be no reduction in the quality of health care and other services provided to veterans as a result of this expenditure.

Back to Top

What Else Is VA Doing About the Situation?

How is information about this incident being shared?

VA is providing as much information as we have about the incident and alerting veterans of the situation. We identified those who may have been affected and provided them more information.

Veterans should continue to monitor this web page (http://www.firstgov.gov/veteransinfo) for further updates.

VA has set up a manned call center that veterans may call to get information about this situation and learn more about consumer identity protections. Concerned veterans may call 1 (800) FED INFO (1-800-333-4636). The call center will operate from 8 am to 8 pm (EDT), Monday-Friday, as long as it is needed. The call center can handle up to 20,000 calls per hour (260,000 calls per day).

When will more information be available?

Beginning June 3, 2006, letters were being sent to all affected veterans. If information about you was included in the data that was stolen, you should have received a letter. Continue to visit this web page for updates. We will also continue to make public service announcements to publicize new information. We continue to urge veterans, servicemembers, and reservists to be vigilant in checking activities on their various accounts.

What will be done to prevent this from happening in the future?

VA has safeguards in place for use and release of private information. VA provides ongoing privacy training to all employees and has directed all VA employees to complete the cyber security and privacy awareness courses by June 30, 2006.

Back to Top

What About the Letter VA Sent?

To whom is VA sending letters?

VA sent individual notification letters to veterans, servicemembers, and reservists whose personal information was included on the stolen computer equipment.

When will the letter go out?

The letters wiere released over a period of about two weeks, beginning on June 3, 2006.

If I didn't get a letter, does that mean I wasn't affected?

If you did not get a letter, in all likelihood your identifying information was not part of the data that was on the stolen computer equipment.

I have never contacted VA directly. How do you know my address?

VA does not have current addresses for all affected individuals. However, the Internal Revenue Service (IRS) has agreed to forward all the letters to the affected veterans, servicemembers, and reservists. It is important to understand that the IRS has not disclosed your address or any other tax information to VA. VA identified the affected veterans to the IRS. The IRS is releasing the letters for VA.

Can I give you my address to make sure you have it?

We believe that virtually all affected veterans, servicemembers, and reservists will be contacted through the process we have established with IRS. We are therefore not taking addresses by phone.

If you receive VA benefits or have a claim pending and would like to change your address with VA, please contact your local VA regional office by phone at 1-800-827-1000 or in writing. For a directory of VA Benefits and other offices, visit http://www1.va.gov/directory/guide/home.asp.

I'd like to see the letter even though I didn't get one. Can you send it to me?

VA sent the letter to potentially affected veterans, servicemembers, and reservists. A copy of the letter is available online at FirstGov.gov, at http://www.firstgov.gov/veteransinfo_letter.shtml. A copy of the enclosure mailed with the letter is available at http://www.firstgov.gov/veteransinfo_letter/enclosure.shtml.

I got the mailing from VA. However, the envelope was empty (or the mailing was missing the Answers to Frequently Asked Question enclosure, or the letter from the Secretary was missing). How can I get a replacement copy?

You can access a copy immediately on the Internet at:

If you don't have access to the Internet, please call 1 (800) FED-INFO. We will send you a replacement copy of the letter.

News Releases from Veterans Affairs

View VA News Releases for further background on Veterans Affairs Data Security Issue