Veterans Administration – Failure to encrypt data
According to an internal watchdog, the Veterans Affairs Department has been routinely transferring veterans' personal data, including medical information and Social Security numbers, through unprotected Internet connections, leaving the information exposed to hackers and fraud. The names of veterans and their dependents, Social Security numbers, dates of birth, and protected health information were among the data exchanged across unencrypted networks by the VA Office of Information Technology (OIT), according to the IG.
According to the article, high authorities granted security rule exemptions to enable unencrypted transmissions. The inability to safeguard the information was in violation of the VA's own security policies as well as provisions of the American Recovery and Reinvestment Act of 2009, which required "the encryption of electronically transmitted health information." The database holding all of these details was stolen after the Veterans Administration failed to encrypt the records of 26.5 million veterans, military people, and their families in 2006. To make matters worse, the unencrypted data was left on a laptop and an external hard drive, resulting in not only a massive public outcry but also projected expenditures ranging from $100 million to $500 million (£400 million).
Cost: £400 million