WASHINGTON D.C. STATE VETERAN SUIT SEEKS $535M IN DAMAGES IN COMPUTER SECURITY BREACH : State veteran sues over data Suit seeks $535 million in damages for VA breach in computer security

Web-Blog Editor Comments: These are the type of news items that are going to highlight the enormous risks involved whenever there is a major data theft issue. These spiraling costs, to institutions and corporations, accused of not protecting personal data, will soon be front and center.

WASHINGTON - An Alabamian suing the Department of Veterans Affairs over missing computer data said he called the VA's hot line about the incident and was told the VA didn't know if he was among the 535,000 whose personal information was compromised.

They recommended he run a check on his credit just in case.

Greg Fanin, a staff sergeant in the Alabama National Guard, alleges the VA was warned that its information security systems were weak and failed to strengthen them. He is now asking a federal court to hold VA responsible for violating laws on privacy and information security management. The lawsuit asks for a minimum of $1,000 in damages for every person affected, which would be $535 million for the veterans.

The missing hard drive also contained data on 1.3 million doctors and other health care providers.

A spokesman for the VA in Washington said the agency was unable to comment on pending litigation.T

he lawsuit, potentially a class action representing the 535,000 veterans, was filed in February in federal court in Birmingham.

The Birmingham VA Medical Center learned Jan. 22 that an employee's hard drive was taken from a secure storage facility at his Five Points South office.

It contained personal, financial and medical data on up to 1.8 million people. The employee who reported the missing equipment is on administrative leave, and the FBI is offering a $25,000 reward for the hard drive.

It was the second major data breach of VA information in the last year and one of 46 incidents under investigation by the VA's inspector general.

A hearing before Congress on Wednesday revealed longstanding and widespread shortcomings in protecting personal information at VA facilities around the country.

Fanin's lawsuit noted that the Government Accountability Office and Congress have been critical of VA systems for years.

The VA has ''been repeatedly informed of recurring, systemic and fundamental deficiencies in its information security, but failed to effectively respond,'' the lawsuit alleges. It also names VA Secretary Jim Nicholson and Chief Information Officer Robert Howard as defendants.

Howard testified before the House Veterans Affairs subcommittee Wednesday that the VA is reorganizing its information and technology offices to correct ''deficiencies that resulted in a loss of standardization, compatibility, interoperability and fiscal discipline.''

Fanin, the plaintiff, was on active duty with the Alabama Guard in Iraq in 1990-91, Jordan in 2003, Qatar in 2004 and Iraq again last year. He was treated at VA medical facilities 10 to 15 times since November 2001, according to the court filing.

Efforts to reach his attorneys for comment Thursday were unsuccessful.

The VA started sending out letters the week of Feb. 12 to veterans whose personal information may have been stored on the missing hard drive. In that letter, veterans were advised to contact a credit monitoring service to look for signs of identifytheft or financial fraud.

It also provided a call center for veterans to ask questions about the incident, at 877-894-2600 or 205-558-7016 from 8 a.m. to 8 p.m. Central time, or by e-mail at . EMAIL:

March 3, 2007