A report published by the Department of Veteran Affairs’ Office of Inspector General (VA OIG) audit has revealed that Internal Department of Veteran Affairs (VA) communications, disability claims, and the health information of thousands of veterans have been exposed and could possibly have been accessed by VA employees authorized to view the data.
VA OIG completed an audit of the VA’s Milwaukee Regional Office following a call from a whistleblower in September 2018 in relation to the exposure of sensitive information on shared network drives, which the whistleblower said could be accessed by employees unauthorized to view the data.
VA OIG audit went to the Milwaukee offices in January 2019 and confirmed that sensitive data had been stored on two shared network drives on the VA Enterprise network, which could be logged onto by veterans service organization (VSO) officers, even if those officers did not act for those veterans.
The auditors ruled that any Veterans Benefits Administration employee who had authorization to log onto the VA network remotely could have accessed the files stored on the shared drives. That means around 25,000 VBA employees could have logged onto the drives.
The files stored on those drives included information like veterans’ names, addresses, dates of birth, contact telephone numbers, disability claims information, and other highly sensitive and confidential data. Some of the files on the network drives dated back to 2016. VA OIG did not reveal how many veterans have been affected by the security flaw.
The failure to control access to the records was a violation of HIPAA and the VA’s policies, which require administrative, technical, and physical safeguards to be configured to protect the privacy of veterans. The exposure of data was not restricted the Milwaukee regional office and was therefore classed as a national problem.
The privacy breach was put down to failures in three different areas: Knowing or inadvertent negligence by VBA staff who stored sensitive information on the network drives in violation of VA policies; a lack of technical controls to stop “negligent individuals” from using the drives to store sensitive data, and a lack of oversight, which meant sensitive information held on the drives was not identified and deleted.
As the data was only accessible internally, the VA’s Data Breach Response Service did not class the exposure as a data breach and notifications to veterans whose privacy has potentially been breached were not warranted because their data was not placed “at unnecessary risk.”
VA OIG stated: “Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information. This has the potential to expose veterans to fraud and identity theft.”
VA OIG has advised that the assistant secretary for information and technology and the undersecretary for benefits conduct remedial training to users on the correct handling of sensitive information and storage of information on shared network drives. VA OIG also advised that technical controls should be configured to ensure that the sensitive information of veterans cannot be stored on shared network drives. Oversight procedures are also obligated to ensure any failures by VA staff to abide by federal laws and VA policies are identified and amended.
VA OIG in the report said in the report: “Until VA officials take steps to guard against user negligence, implement technical controls that prevent users from storing sensitive personal information on shared network drives, and issue oversight procedures to adequately monitor shared network drives, veterans’ sensitive personal information remains at risk.”
The assistant secretary for information and technology agreed with the guidance.