Veterans Affairs Secretary Jim Nicholson accepted responsibility Thursday for the theft of personal information for 26.5 million military personnel and veterans.
But in doing so, Nicholson also told Congress that improving security measures won't happen overnight.
"I am totally outraged as to this loss of this data and the fact that an employee will put veterans at risk," Nicholson told the House Committee on Government Reform. "But it is my responsibility now to fix this. It is doable. It won't be easy and it won't be overnight because we will have to change the culture."
He pledged several new initiatives to protect private information, saying he ordered that no personal laptop would be allowed to access the VA network after the May 3 theft at a VA data analyst's home.
"We remain hopeful this was a common random theft and that no use had been made of this data," Nicholson said. "However, certainly we cannot count on that."
Congress is trying to determine whether the VA took proper steps to guard against the unauthorized disclosure of personal information. In a March report card, the VA was one of eight departments given failing grades by the committee for computer security practices.
Rep. Tom Davis, chairman of the committee, also said he wants to know why the VA is still trying to figure out what information was lost after the records were stolen from the data analyst's Aspen Hill, Md., home on May 3. "The bond of trust owed to those who served has been broken," he said.
Nicholson acknowledged on Tuesday that the stolen data — which was stored on the employee's personal laptop — included personal information on about 2.2 million active-duty military, Guard and Reserve personnel. The agency originally said over the weekend that the number was 50,000.
During the hearing, Rep. Henry Waxman, D-Calif., said the VA had no excuse for the theft after repeated warnings about its security problems.
"The administration needs to provide the public with a thorough accounting," he said. "Its delayed response may have made millions of men and women who previously and currently serve in a uniform vulnerable to identity theft. I hope this hearing is not another wake-up call that is ignored."
Veterans groups have criticized the VA for a three-week delay in publicizing the burglary. The VA initially disclosed the burglary May 22, saying it involved the names, birth dates and Social Security numbers — and in some cases, disability codes — of veterans discharged since 1975.
Since then, it has also acknowledged that phone numbers and addresses of many of those veterans also may have been included.