Update: Unisys contractor arrested in VA theft

Authorities have charged a 21 year-old Unisys Corp. subcontractor with stealing a desktop computer with billing information on as many as 38,000 U.S. Department of Veterans Affairs medical patients.

Khalil Abdulla-Raheem, of Washington, D.C., was charged Wednesday with theft of government property. He is the employee of an unnamed company that "provides temporary labor to Unisys," according to a statement released by the Veterans Affairs (VA) department's Office of Inspector General.

The computer was stolen in late July from Unisys's Reston, Virginia, offices. It contained records on about 16,000 living patients who had received treatment at VA medical centers in Philadelphia and Pittsburgh, as well as information on another 2,000 who are deceased. Data on an additional 20,000 patients may have been stored on the computer, according to the VA.

The VA said that these records may have contained Social Security numbers, addresses, and insurance information. The U.S. Federal Bureau of Investigation (FBI) is now analyzing the computer to determine whether this information has been compromised, but investigators do not believe that Abdulla-Raheem was after the VA data.

This is the second of two major data breaches at the VA this year. In May, personal information on about 26.5 million veterans was compromised when a laptop and external hard drive were stolen from a VA analyst's home. Authorities have arrested two teenagers in connection with that theft and the FBI has concluded that the sensitive information was untouched.

Still, the data in question was unencrypted in both of these incidents, and the VA, which has regularly scored failing grades in the Federal Government's annual computer security scorecard, has been blasted for its handling of the matter.

The department's Inspector General published a report in July citing policy failures and a lack of supervision in the May incident, and called for the VA to adopt a clear policy for safeguarding sensitive data.

With data notification laws pushing data breaches into the public eye, PC encryption has become a priority for many IT departments.

In fact, laptop encryption will top a list of the ten most important security trends for 2007, due to be released on October 1 by the SANS Institute, a computer security training organization.

"Every major organization is moving forward to buy and deploy encryption products," said SANS Director of Research Alan Paller, in an e-mail note sent Thursday. "The reason is that top management is adamant about not facing personal embarrassment because of lost sensitive data."

Abdulla-Raheem was released on bail Wednesday and is due back in federal court for a preliminary hearing on October 3.

Unisys has offered a US$50,000 reward for information leading to the recovery of the PC. So far, nobody has come forward to claim the money, according to Lisa Meyer, a Unisys spokeswoman.

Unisys had not encrypted the data on the stolen PC because this was not required by the VA, but the company is now taking a second look at this policy, Meyer said. "An event like this causes us to reexamine everything we're doing," she said.