The department said the external drive, which was used to back up an employee's computer at the Birmingham VA Medical Center, was reported missing on January 22 and may have been stolen. The VA's Office of Inspector General opened an investigation one day after hearing of the breach and notified the FBI.
"We intend to get to the bottom of this, and we will take aggressive steps to protect and assist anyone whose information may have been involved," VA Secretary R. James Nicholson said in a press release Friday.
The VA's Office of Information and Technology is doing its own review, and the employee computer for which the back-up drive was typically used is undergoing analysis for clues about what the hard drive may have contained.
Rep. Spencer Bachus (R-Ala.), whose district includes Birmingham, said his office's initial indication was that as many as 48,000 records may have been compromised, with as many as 20,000 not encrypted. A VA spokesman said he could not confirm that number because the investigation was still in process. He said the department currently has no indication that any personal information was used improperly but is prepared to offer assistance to anyone found to have been affected by the breach.
The episode follows the high-profile theft last May of a laptop and an external hard drive that housed sensitive information about more than 26 million veterans and active military personnel. The equipment, pilfered from the Maryland home of a VA employee, was ultimately recovered and two teens were arrested in connection with the incident in August.
The VA also investigated reports last August of a theft of a desktop machine from the Reston, Va., offices of Unisys, a subcontractor hired to assist with insurance collections for VA medical centers in Pennsylvania. The agency estimated that the computer contained information on about 38,000 veterans, including 2,000 who were deceased.
Incidents at the VA and other federal agencies have prompted calls for better data security practices from Congress. After the first theft, the VA announced a multistep plan, including installing encryption software on all of its laptop and desktop machines.
