VA Released Millions of People's Personal Data Despite Known Risks


The agency stopped redacting personally identifiable information in claims requested under the Privacy Act, even though officials knew the policy could leave millions of people vulnerable to identity theft.

The Veterans Affairs Department knowingly disclosed sensitive information on millions of veterans’ doctors, spouses and dependents despite warnings that the practice “could cause those individuals significant harm,” an internal watchdog found.

For more than three years, the Veterans Benefits Administration intentionally stopped redacting names, Social Security numbers and other personally identifiable information on third-party individuals in claims records provided to veterans, according to the VA Inspector General. The practice not only left countless people vulnerable to identity theft but it also potentially broke the law, auditors found. 

“VBA officials made the decision to stop redacting information that was purposely included in claims files, despite the inherent risks of disclosing third-party [personally identifiable information] in service records,” they said in a report published last week. “The OIG contends that the [policy] could place VBA at legal risk of penalties for Privacy Act violations based on other more recent case law.”

Under the Privacy Act of 1974, vets can request access to the claims they file with the VBA. In addition to information on the individual veteran, those documents often contain sensitive data on dozens of unrelated “third parties,” like spouses, dependents, previous healthcare providers and other service members. Historically, VBA redacted information on extraneous individuals from claims documents before handing them over to veterans, but officials did away with the practice in May 2016 as a way to reduce the amount of time it took to process claims.

Under the new policy, auditors said the agency likely exposed a staggering amount of personal data. During the audit, the IG found more than 1,000 unredacted names and Social Security numbers included in a sample of 30 claims requests. In the three years since officials stopped redacting third-party information, VBA processed some 379,000 requests, they said.

“Based on the volume of third-party [personally identifiable information] the review team found … the OIG determined that the [agency] could have already released millions of third parties’ names and Social Security numbers,” the IG said. The policy also permitted VBA to release more sensitive third-party information, like addresses and bank accounts, though auditors didn’t say how much data was exposed.

The agency failed to inform those individuals that it was releasing their sensitive personal information. As of July, the VBA website stated the redaction policy was still in effect.

“If individuals were harmed under this policy, they could be unaware that VBA staff released their information,” the IG said.

According to the report, agency officials were themselves well-aware of the risks associated with releasing this information into the wild. The Veterans Affairs’ General Counsel’s Office told agency officials that people could face “substantial” harm if their information was misused, yet it still said there was legal support for not redacting the data. Many of the agency’s privacy officials were not consulted in the policymaking process, auditors found, and the ones who were expressed serious concerns.

The director of the VA’s Privacy Service told the IG she didn’t know the policy existed. In an interview with auditors, she said the policy “was not appropriate and anyone who reads it would question it based on common sense, even if he or she was not a privacy expert.”

In a separate interview, the leader of the agency’s records management center support division told auditors leaving claims unredacted didn’t even save that much time, as personnel still needed to review each record page-by-page to ensure they didn’t release the wrong documents.

“She noted seeing some increased efficiency under the May 2016 release policy, but not a lot,” the report said.

According to the report, the IG urged VBA to “immediately review” the policy in December 2018, but the agency’s chief Paul Lawrence said he disagreed with the recommendation. However, Lawrence said in June the agency would resume redacting third-party information by October. Officials formally changed the policy on Sept. 27.

The IG also advised the agency to update its website to reflect current disclosure policies, increase oversight of its records management process through legal reviews and improved reporting, and create accountability measures to ensure staff adheres to Privacy Act provisions. The agency concurred with each recommendation.

“VA is committed to providing veterans prompt access to their claim records increasing transparency and improving customer service,” Secretary Robert Wilkie said in a statement. “It’s imperative that we protect files containing sensitive and personal information.”

The agency declined to elaborate on the rationale behind the May 2016 policy.