WASHINGTON (AP) – Veterans Affairs officials wasted millions on a $100 million computer security contract that became a virtual “open checkbook” because of poor oversight and sloppy management, an internal review says.

The audit by the VA inspector general brings renewed attention to problems of data security and contract management after the department faced blistering criticism for its loss last May of personal information about nearly 26.5 million veterans.

It found that the VA put out multiple and inconsistent changes to the contract awarded in 2002 to VAST, a small business joint venture based in Texas, for computer service work aimed at fending off computer hackers.

Saying the VA needed a culture change, Maureen Regan, counselor to the VA inspector general, said in an interview Wednesday that the department faced serious “management challenges” in addressing how it handles contracts and seeks to protect sensitive data.

Only after last May’s data theft did the VA begin to centralize its information technology systems to improve oversight. The data in that case was eventually recovered.

Now the department is going through extensive training to inform staff of the proper protocols in encrypting data and taking sensitive information out of the office, Ms. Regan said. But the department has yet to fully implement any of the inspector general’s recommendations on data security from reports dating back to 2001.

On another front, the VA continues to struggle with growing backlogs in its disability claims, with added strains in the coming months and years as thousands of troops return home from Iraq and Afghanistan.

“There’s a lot of work to be done,” Ms. Regan said.

In the report, the VA generally agreed with the findings. It said it has created contract review boards to help improve oversight and will seek to recoup lost or unaccounted for payments.

“VA is committed to being a good fiscal steward of taxpayer dollars in carrying out our important mission of serving veterans,” spokesman Matt Burns said.

According to the findings, the VA:

_Spent more than $35 million for equipment and supplies under the contract that it cannot account for.

_Hastily increased the scope of the contract several times, bringing the total value of the contract from $102.8 million to $250 million with little thought or oversight. “This made the contract an open checkbook … with little assurance of price reasonableness and no planned funding.”

_Did not ensure that the joint venture, VAST, met requirements to qualify as a small business.

_Made overpayments on the contract as high as $8.5 million.

_Did not conduct required background investigations on the contract employees.

In addition, because the department spent money on the contract so quickly, it was left temporarily without a defense against hackers after the 10 year contract was allowed to expire prematurely in 2005.

In recent weeks, VA officials have faced a fresh round of bipartisan criticism over data security, with auditors telling Congress that gaping holes persist and that most VA data remains unencrypted.

The IG report was publicly released Feb. 26 and first noted Tuesday by McClatchy newspapers.

___

On the Net:

Copy of the report:

http://www.va.gov/oig/52/reports/2007/VAOIG-04-03100-90.pdf

Department of Veterans Affairs: http://www.va.gov/