In response to the first laptop theft, the VA instituted an encryption requirement for medical and identification information on laptops; however, the Texas laptop was not encrypted, according to Buyer, the senior Republican member of the House Veterans' Affairs Committee. The VA notified the House of the theft on April 28, the letter states.
"It is apparent to me that the details of these breaches clearly indicate that the VA lacks focus on its primary responsibility of protecting veterans' personal information," Buyer wrote.
The laptop belongs to a contractor that has contracts with 13 of the VA's 23 regional service networks, the letter states. A review of the company's 69 contracts shows that 25 of them did not include an information security clause, the letter adds.
"I can only conclude form this incident that VA's procurement processes seriously lack standardization in content, failure to articulate requirements, and an absence of compliance oversight," Buyer also wrote.