Rolling out new software to a few thousand users is an involved process for any organization. But installing software that affects hundreds of thousands of PCs as part of a response to a data breach while under embarrassing scrutiny is a task that would challenge even the most well-managed IT departments. And, apparently, the Office of Information Technology (OIT) at the Department of Veterans Affairs' answer to that challenge was to sweep it under the rug.

After removable hard disks containing unencrypted personal identifying information of 26 million military veterans were stolen from the home of a VA employee in 2006, then-Secretary of Veterans Affairs R. James Nicholson mandated that the VA's Office of Information Technology install encryption software on all of the department's notebook and desktop computers. But while the VA purchased 400,000 licensees for Symantec's Guardian Edge encryption software, more than 84 percent of those licenses—worth about $5.1 million, including the maintenance contracts for them—remain uninstalled, a VA Inspector General's audit has found.

The VA's OIT purchased 300,000 licenses and maintenance agreements for Guardian Edge in 2006 and continued to pay for maintenance on those licenses for the next five years. And in 2011, the VA purchased 100,000 more software licenses from Symantec and extended maintenance on all 400,000 licenses for two years.

But during this period, the OIT only installed Guardian Edge on 65,000 of the agency's PCs. Between 25,000 and 30,000 laptops received the software by September of 2006—the exact number is unknown, because there were no installation records kept dating back that far—but a further roll-out of the software to desktop computers was stopped because OIT "encountered incompatibility issues between the different makes and models of VA desktop computers and the encryption software," the Inspector General reported. "OIT discontinued installation of the encryption software until OIT could upgrade and standardize VA’s computer equipment."

That never happened. As of August, VA's OIT was still trying to figure out whether the encryption software would be compatible with existing PCs, and it still has no plans to finish installation. "OIT did not make time to test the encryption software to ensure compatibility with VA computers," the Inspector General found. "It lacked sufficient human resources and did not monitor the project to ensure complete installation and activation of the encryption software licenses."