The findings of a Department of Veteran Affairs’ Office of Inspector General (VA OIG) audit showed that internal communications, disability claims, and medical data of countless numbers of veterans have been compromised internally and may have been viewed by employees of the Department of Veteran Affairs who do not have the authorization to access the information.
VA OIG’s audit of the VA’s Milwaukee Regional Office was prompted by a tipoff in September 2018 by a whistleblower who said that sensitive information was exposed on shared network drives, which its unauthorized employees could access.
In January 2019, VA OIG audit went to the Milwaukee offices and validated that tipoff. Sensitive information indeed was stored on VA Enterprise network’s two shared network drives, which veterans service organization (VSO) officers, including those not representing veterans, could access the information.
The auditors established that any Veterans Benefits Administration personnel who had authorization to remotely access the VA network might have viewed the files located on the shared drives. That means the drives may have been accessed by about 25,000 VBA personnel.
The records kept on those drives included data like veterans’ names, addresses, birth dates, contact phone numbers, disability claims data, and other highly sensitive and confidential data. A few of the files were created in 2016. VA OIG didn’t reveal the number of veterans impacted by the security breach.
The inability to limit access to the information violated HIPAA and the VA’s policies, which call for the implementation of technical, administrative, and physical control measures to secure the privacy of veterans. The data exposure was not restricted to the Milwaukee regional office, therefore, it was considered as a national concern.
The privacy breach was due to problems in three aspects: Knowing or accidental carelessness by VBA employees who kept sensitive data on the network drives violating VA policies; insufficient technical controls to avoid negligent people from utilizing the drives to hold sensitive data, and insufficient oversight so that sensitive data kept on the drives wasn’t identified and taken out.
Considering that there was only internal access of information, the VA’s Data Breach Response Service didn’t consider it as a data breach and so there was no notification letter sent to veterans whose privacy was potentially violated as their information was not put at unnecessary risk.
VA OIG stated in the report that the veterans at risk of unauthorized disclosure and misuse of sensitive private data may be open to fraud and identity theft.
VA OIG has proposed that remedial training be given to users about the proper handling of sensitive data and storage of data on shared network drives. VA OIG likewise suggested the implementation of technical controls to make sure that veterans’ sensitive information cannot be kept on shared network drives. Oversight processes are additionally mandatory to make sure any problems by VA staff to follow federal regulations and VA policies are determined and remedied.
The VA OIG also stated in the report that until VA officers take action to protect against user negligence, carry out technical measures that keep users from holding sensitive personal data on shared network drives, and issue oversight processes to sufficiently keep track of shared network drives, veterans’ sensitive personal data continues to be in danger.
The information and technology assistant secretary agreed with the proposal.