VA Exposes Sensitive Veteran Data to Thousands of Unauthorized Employees

Terrance HT Ip/Shutterstock

Featured eBooks

Digital First
What’s Next for Federal Customer Experience
Cloud Smarter

The files included medical records, internal communications and other sensitive information dating back to 2016, the inspector general found.

A regional office of the Veterans Affairs Department mishandled its patients’ personal data, leaving medical records, internal communications and other sensitive information accessible to thousands of unauthorized agency personnel, according to an internal watchdog.

According to the VA inspector general, the agency’s Milwaukee regional office was storing personally identifiable information on its patients in two shared drives on the Veterans Benefits Administration’s enterprise network. The security lapse, first flagged by a whistleblower in September 2018, left the data exposed to more than 25,000 remote users across the country, many of whom had no need to access the information, auditors found.

The files stored on the network drives included “medical records, correspondence about medical examinations and disability claims decisions, and veterans’ statements in support of their claims,” the IG said, as well as patients’ names, addresses, birthdays and phone numbers. Some of the files dated back to 2016. 

“The inadequate protection of sensitive personal information places veterans’ data at risk and could undermine the credibility of VBA and [veteran service organizations] in positions of trust,” they said in a report published Thursday. “Veterans should have confidence that their sensitive personal information is handled strictly in accordance with federal laws and VA regulations.”

Though the security lapse “did not meet the criteria for a data breach,” the IG said it did put the information “at unnecessary risk.” In the report, auditors didn’t specify how many veterans had their data exposed.

Investigators found the slip-up stemmed from a combination of user negligence, poor technical controls and insufficient oversight on behalf of the agency. 

VA regulations require that employees responsible for patient information and agency systems work together to ensure personally identifiable information is kept secure. However, the agency has no oversight policies to ensure users are following those rules, auditors said, and there isn’t a process for checking network drives for improperly stored data.

“Until VA officials take steps to guard against user negligence, implement technical controls that prevent users from storing sensitive personal information on shared network drives, and issue oversight procedures to adequately monitor shared network drives, veterans’ sensitive personal information remains at risk,” auditors said.

The agency has since removed the data from its shared drives and put in place technical restrictions to prevent such errors from happening again in the future, a VA spokesperson told Nextgov

Editor's note: This story was updated to include comments from the VA.