Dedicated to providing the latest
HIPAA compliance news

Answers Demanded From Dept. Veteran Affairs After Social Security Numbers Exposed

Share this article on:

The Department of Veteran Affairs (VA) has come under the spotlight again following an investigation conducted by News 3 reporters into a privacy breach that exposed the Social Security numbers of numerous veterans.

The investigation revealed that veterans’ Social Security numbers had been sent via unencrypted email on a number of occasions, violating the privacy of veterans in addition to breaching federal regulations. The news report has prompted two Wisconsin senators to demand answers over the privacy breaches.  

The News 3 investigation concerned a privacy incident that occurred in April of this year. An employee of the Wisconsin Department of Veteran Affairs was discovered to have emailed hundreds of Social Security numbers to an individual who was not authorized to receive the data.

The email in question was sent to Mr. Terry Everson, a Wisconsin veteran, on April 1. Upon opening the attachment, Everson saw a list of unhyphenated nine digit numbers.  Approximately 400 Social Security numbers were listed in the attachment. The VA was promptly notified of the apparent email error and all affected veterans were offered identity theft protection services. All copies of the list were subsequently destroyed.

VA Disability Claim Numbers are Formed from Social Security Numbers

 

The investigation conducted by News 3 revealed that this was not the first time Social Security numbers had been sent to unauthorized individuals by the VA. Reporters uncovered three other incidences of accidental disclosure of veterans’ Social Security numbers. The incidents dated back to June 2014. In those incidents, Social Security numbers were similarly sent to individuals who were not authorized to view the data.

Following the discovery, Sen. Ron Johnson (R-Wis.) wrote to the Assistant Secretary for Information and Technology at the VA. Sen. Johnson was concerned that the accidental disclosure was not an isolated incident, and was part of a much wider problem potentially affecting not only the Wisconsin VA, but also other state VA offices. It would appear that this is the case.

The sent to Everson in April actually contained disability claim numbers. These are the same as veterans’ Social Security numbers without the hyphens. VA security software does not require these numbers to be encrypted. Only Social Security numbers must be encrypted before being sent, even though they contain the same digits in the same sequence.

According to the News 3 report, if an individual within the Department of Veteran Affairs sends an email containing a sequence of 9 digits containing a hyphen between every third digit in the sequence, the email is blocked. The sender receives an automated email advising them that the message was not sent. That message informs the sender of the message that in order for the message to be delivered, they must “remove the SSN or encrypt the email.” Removing the hyphens would allow the message to bypass the filter.

Answers Demanded by Wisconsin Senators

 

In the letter, Sen. Johnson has demanded answers from the VA regarding the actions taken against employees who have inadvertently sent Social Security numbers and has questioned why the system does not prevent the transmission of the numbers via unencrypted mail.  Sen. Tammy Baldwin, (D-Wis.) also sent a similar letter demanding answers over the privacy breaches.

This is not the first time that the VA has been criticized for sending sensitive information via unencrypted mail. Sen. Johnson pointed out in his letter that the VA Inspector General similarly questioned the practice of sending emails containing Personally Identifiable Information via unencrypted mail in 2013.

According to the News 3 report, a spokesperson for the VA has said the department does not enforce encryption on all emails containing nine-digit numbers without hyphens, as this would result in too many false positives.

The full news report can be found on this link.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On