The employee from whom the laptop was stolen was not authorized to take VA data to his home.
The employee -- who is not named in the report -- told investigators that most of the data was for a "fascination project" that "he self-initiated and worked on at home during his own time."
He had started the project in response to criticism about the reliability of the 2001 National Survey of Veterans and was trying to identify 7,000 veterans who participated in the survey to compare the accuracy of their responses with information in VA files. He acknowledged that he took the data's security for granted and did not protect the files with encryption or with passwords.
Opfer's report concluded that "the employee used extremely poor judgment." But it also pointed out that VA managers knew little about the employee's work. "It was not clear who actually supervised him," the report said.
The VA failed to quickly determine the scope of the problem.
Two days after the theft, a VA information security officer interviewed the employee. He found the employee "flustered" and "going in so many directions he could not take good notes." The officer told the employee to provide an account in writing.
Once the officer got the employee's statement, he drafted a "white paper on lost data" that he e-mailed to Dennis Duffy , a career federal manager, and Michael McLendon, a political appointee. McLendon rewrote the employee's report and, without consulting the employee or a programming expert, incorrectly said that a statistical software program would make it difficult to access the data.
No one on the senior staff ever followed up and interviewed the employee.
Office politics were part of the problem.
McLendon did not inform Duffy, his supervisor, when he learned of the theft. "Mr. Duffy said that Mr. McLendon had a very strong belief that, as a political appointee, he reported in some fashion to the secretary and that there was no need for a 'careerist' to supervise him. Mr. McLendon characterized the office as one of the most dysfunctional organizations in VA, and that it was one of the most hostile work environments he ever worked in."
Duffy told investigators that he knew the VA had a responsibility to mitigate any harm to veterans but also knew how the VA operated: "They do not do crisis management." He expressed regret that he "failed to recognize the magnitude of the whole thing."
Duffy has retired and McLendon has resigned. In the wake of the data loss, Duffy has retired and McLendon has resigned, according to the VA.