A longtime Asheville veterans hospital employee was stunned to see an e-mail widely distributed this spring that contained 861 co-workers' names and partial Social Security numbers.
Just weeks earlier, the Secretary of the Veterans Affairs Department sternly warned agency leaders that privacy breaches had to stop.
"My reaction was shock and disbelief that they had sent this out to everybody," said the worker, who requested anonymity for fear of job loss. "It was mind-boggling."
The agency says the e-mail, sent to 1,209 Asheville VA employees, wasn't a privacy lapse because it was in-house and revealed only the last four digits of workers' Social Security numbers. Privacy experts disagree.
"If you have to spend a few extra minutes to get the first five digits of the Social Security number, it's worth it to someone who is up to no good," said Evan Hendricks, editor of Privacy Times. "It's very lucrative."
The hospital's education coordinator sent the March 24 e-mail about three mandatory training courses, according to a copy obtained by the Observer. The courses covered privacy policies and related issues -- hot topics after the VA's big data loss last year involving records of 26 million veterans.
The Asheville e-mail included attachments listing employees.
"Because it's in-house does not make it any safer," said Jay Foley, executive director of the Identity Theft Resource Center in San Diego. "Do you trust everybody you work with, trust them absolutely?
"Someone may be doing drugs and need money ... Someone may have a grudge against you."
The VA said the e-mail wasn't a breach, but it was "quickly retracted." The agency says it used the Microsoft Outlook "recall" function. Recall only works if message recipients are signed on when a message is sent, according to a Microsoft spokeswoman. In this case, that was a Saturday afternoon.
In addition, messages have to be unread and still in the "Inbox."
"The message was recalled because this ... message should have been sent only to individual supervisors," Karen Fedele, a VA spokeswoman said. When asked if the employee who sent it was disciplined, she said he "was counseled about this incident."
She also said there were "no reports of inappropriate access" to medical or personnel files.
In many data breaches, a would-be ID thief has to know the stolen laptop or other device contains personal information and also be able to access it. The Asheville e-mail made personal data easily accessible to many.
"E-mail is one of the most insecure forms we have around," said Pam Dixon, executive director of the World Privacy Forum in San Diego. "You can't guarantee that everyone who works in an organization of this size is a good apple."
