VA Failed To Protect Veterans' Sensitive Information Again - New OIG Report
November 1, 2019 -Thirteen years ago the VA was involved in what, at the time, was one of the largest data breaches ever to occur. The personal information on 26 million veterans, active duty personnel, employees and contractors was breached when a laptop computer containing the data was stolen. The breach resulted in a multimillion dollar settlement and, you might think, a new awareness that data sensitive data needs to be protected. But according to a new report from the VA's Office of Inspector General (OIG), that lesson didn't stick. A new data breach exposed by a whistle- blower shows that the VA continues to be completely incapable when it comes to data security.
According to the report, two networked hard drives containing the personally identifiable information (PII) on veterans were connected to the VA's network in Milwaukee, WI. The report doesn't say how many veterans were impacted. Nor does it state exactly what data was contained in the files on the drives. But it does state that the VA considers PII to include names, dates of birth, social security number, health record information and a variety of other data. So it's probably safe to assume that at least some of that data was accessible on the aforementioned hard drives.
The report also goes on to state that even though the drives were installed on the VA's system in Milwaukee, the OIG considered the problem to be national. That's because they were accessible via the network by 25,000 VA employees who had no actual authorization to view the data contained on them.
While the way that the drives were setup clearly violated VA rules, the OIG concluded that the, "VA had no effective oversight in place to detect if users had violated the rules of behavior, such as storing sensitive personal information on the shared network drives." The report goes on to say that while there are rules, there don't appear to be policies in place to enforce those rules.
ACCESS is advising that any veterans who used VA facilities in Milwaukee should carefully review credit card statement and medical statement to ensure that no fraud is committed. Medical identity theft is a growing problem and any time medical records are leaked, there is a real potential for it to occur. If more information becomes available showing that the issue extends to veterans at other VA facilities, we'll let our readers know.