Such were the findings revealed in a report issued Tuesday by the VA's Office of Inspector General that addressed the laptop's May 3 theft from the Aspen Hill, Md. residence of a department employee.
The stolen laptop and external hard drive were turned into the FBI on June 28, and authorities do not believe thieves accessed any of the personal data, which was not encrypted.
The report heavily criticized VA security professionals for delays in interviewing the employee who lost the laptop and notifying other VA officials about the incident.
"At nearly every step, VA information security officials with responsibility for receiving, assessing, investigating or notifying higher-level officials of the data loss reacted with indifference and little sense of urgency or responsibility," the report said.
The inspector general's findings also accused one of those security officials – Deputy Assistant Secretary for Policy Michael McLendon – of making revisions to an incident report to smooth over the event's severity.
"Our review of Mr. McLendon's revisions determined that his changes were an attempt to mitigate the risk of misuse of the stolen data," according to the report. "He focused on adding information that (stated) most of the critical data was stored in files protected by a statistical software program making it difficult to access. This, however, was not the case because we were able to display and print portions of the formatted data without using the software program."
The report also found that the VA lacked sufficient security controls, concluding that "VA policies, procedures and practices do not adequately safeguard personal or proprietary information used by VA employees and contractors."
At the time, the agency did not have any rules against taking home personal data or storing confidential information on personal computers, the report revealed.
Since the theft, VA Secretary R. James Nicholson has promised sweeping measures to prevent a similar incident from occurring in the future.
Changes include the shake-up of personnel in the Office of Policy and Planning, where the breach occurred; hiring a prosecutor to serve as an information security adviser; completing a cyber-security awareness training program for employees; conducting an inventory of all positions that have access to sensitive data and reviewing all laptops to ensure up-to-date security software.