The U.S. Department of Veteran Affairs (VA), which suffered a data breach affecting 26.5 million people in 2006, has agreed to pay $20 million to veterans affected by the breach.
The VA data breach of 2006, which was listed as one of the 10 largest data breaches since 2000 and as one of the worst breaches ever, was the result of computer going missing from the home of an employee, who had taken the computer home without permission. The computer contained insurance claim data (including Social Security Numbers and insurance information) for 26.5 million active duty troops and veterans, leaving them open to to identity theft and fraud.
The FBI was able to recover the equipment and apprehended the thieves; the VA found no evidence that data had been compromised. The VA Inspector General faulted the data analyst and his supervisors for putting veterans at unreasonable risk. A series of delays after the employee notified his superiors meant that affected veterans were not told about the breach until 3 weeks later.
Five veteran groups filed a class-action lawsuit against the VA alleging invasion of privacy. The lawsuit sought $1000 in damages for violations of privacy for each military personnel affected. This would have amounted to $26.5 billion in damages.
In court filings on Tuesday, lawyers for the VA and the veterans represented in the suit agreed to settle the lawsuit for $20 million. VA spokesman Phil Budahn made a statement, after the settlement, that:
"We want to assure veterans there is no evidence that the information involved in this incident was used to harm a single veteran."
The money for the settlement will come from the U.S. Treasury and will go to veterans who can show they suffered "actual harm" (physical symptoms of emotional distress or expenses) as the result of the breach. I'll be curious to see how they determine the 'proof' of these items. Each veteran will receive $75 - $1500 upon proving their suffering. Any remainder of funds will be donated to veterans' charities. U.S. District Judge James Robertson must approve the terms of this settlement before it becomes final.
In November of 2007, the VA suffered a smaller breach, affecting 12,000, after 3 computers were stolen. They have suffered other data breaches, affecting up to 1.8 million, several times since 2006. Let's hope this settlement means that the VA is truly accepting responsibility for the data breach suffered in 2006.