VA Stopped Publishing Breach Reports About Vets’ Data for Nine Months

For roughly nine months this year, the Veterans Affairs Department stopped posting online quarterly reports that detail information security breaches affecting veterans.

The department continued to share the quarterly reports with Congress during this period, as it is required to do under the 2006 Veterans Benefits, Healthcare, and Information Technology Act, according to a spokeswoman for the Senate Veterans’ Affairs Committee.

The department failed, however, to post the reports online as had been common practice going back to 2010.

From the first months of 2018 until this Thursday the most recent quarterly breach report on the department’s Office of Management and Budget reporting page was from the fourth quarter of 2017, according to web archives. The quarterly reports refer to quarters of the government’s fiscal year, which ends in September, not to the calendar year.

After receiving a query about the reports from Nextgov Thursday, the department updated the page, first to display the third quarter 2018 report and then to display reports from the first, second and third quarters of the year.

A VA spokesman did not respond to three separate queries about whether VA had intentionally stopped posting the reports or if the extreme delay in posting the reports was merely an oversight.

The reports are essentially tallies of incidents in which a VA hospital or other VA institution had to send veterans a notification that their personal data might have been breached or sent an offer of credit protection.

The number of notification letters rose from 584 during the first quarter of 2018 to 3,596 during the second quarter and dropped to 929 during the third quarter, according to the reports. The number of credit protection letters rose from 1,059 during the first quarter to 1,712 during the second and to 2,566 during the third.

The reports don’t include details about the type or severity of the incidents, which could range from an email credential compromise to a misplaced smartphone with access to some patient information. As a result, it’s impossible to say whether veterans’ information overall was protected better or worse during the course of the year.

For most of the period between 2010 and 2016, VA published quarterly reports listing all incidents in which veteran data might have been compromised along with monthly information security reports that detailed blocked phishing emails, digitally compromised medical devices in VA hospitals and similar data.

The department stopped publishing those detailed monthly reports between May and June 2016, during the final months of the Obama administration, according to web archives.

For most of the Obama administration, the monthly or quarterly reports were frequently accompanied by conference calls with reporters, during which the VA technology chief would describe major security incidents during the month.

Those calls occurred from about 2009 through about 2015, according to reporters who frequently called in.