The Veteran Affairs Office of the Inspector General (VA OIG) has investigated alleged veterans privacy violations by the Palo Alto Health Care System.
In October 2014, the House Committee on Veterans’ Affairs passed over a complaint to the OIG regarding potential policy and privacy violations by the Palo Alto Health Care System´s (PAHCS) Chief of Informatics, who is alleged to have entered into an illegal agreement with an IT vendor.
Sensitive patient data was allegedly handed over to the vendor – an IT firm called Kyron – taking the data beyond the control of PAHCS and outside its firewall. The data allegedly transferred included highly sensitive veteran data classed as Protected Health Information (PHI) and Personally Identifiable Information (PII) under HIPAA.
Furthermore, data was allegedly handed over to Kyron before PAHCS had conducted a background check on the IT company’s staff, potentially risking patient privacy. The data had also apparently been uploaded to Kyron’s extraction software system before the company had been approved by VA information security officers.
Veterans Privacy Violations Discovered
The investigation into the alleged veterans privacy violations revealed a number of errors of judgement had been made. These errors potentially placed veterans´ data at risk; although not all the allegations were substantiated.
VA OIG investigators failed to find evidence to substantiate the claim that the PAHCS Chief of Informatics had actually entered into an illegal agreement with Kyron, and neither did the VA confirm that data were transferred outside the company’s firewall. Data was supplied, but it was first de-identified and remained at all times within the protection of the firewall.
The vendor had been contracted to test its data extraction software on a VA server, creating patient profiles from a sample of de-identified data. The aim of the test was to improve the efficiency of data searches and data retrieval functionality, which it was hoped would ultimately lead to improvements in the provision of healthcare services to veterans.
However, the VA OIG did determine that a full and thorough risk assessment of Kyron’s software had not taken place prior to data being shared. Neither had background checks been performed on Kyron employees prior to data being provided. PAHCS also failed to provide training to Kyron’s staff regarding data privacy and security awareness.
According to the OIG report, “Information Security Officers (ISOs) failed to execute their required responsibilities in accordance with VA Handbook 6500, Information Security Program, by not providing PAHCS management and staff guidance on information security matters.”
As a result of the investigation, the OIG made a number of recommendations:
- The Palo Alto Health Care System must conduct a full risk assessment of Kyron’s software to identify any potential security vulnerabilities that could jeopardize the privacy of VA patient data.
- The VA Assistant Secretary for Information and Technology must implement controls to prevent unauthorized software from being installed on VA servers, unless a formal risk assessment has first been completed and approval gained to run the software.
- PAHCS must conduct background checks on Kyron’s staff and gain authorization to use Kyron’s software on the VA servers from the VA’s Assistant Secretary for Information and Technology
- PAHCS must ensure that Kyron staff members are trained on security awareness and must obtain a signed copy of the VA’s Contractor Rules of Behavior.
The full VA PIG report on PAHCS can be downloaded here.