25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Answers Demanded From Dept. Veteran Affairs After Social Security Numbers Exposed

Posted By on Nov 2, 2015

The Department of Veteran Affairs (VA) has come under the spotlight again following an investigation conducted by News 3 reporters into a privacy breach that exposed the Social Security numbers of numerous veterans.

The investigation revealed that veterans’ Social Security numbers had been sent via unencrypted email on a number of occasions, violating the privacy of veterans in addition to breaching federal regulations. The news report has prompted two Wisconsin senators to demand answers over the privacy breaches.  

The News 3 investigation concerned a privacy incident that occurred in April of this year. An employee of the Wisconsin Department of Veteran Affairs was discovered to have emailed hundreds of Social Security numbers to an individual who was not authorized to receive the data.

The email in question was sent to Mr. Terry Everson, a Wisconsin veteran, on April 1. Upon opening the attachment, Everson saw a list of unhyphenated nine digit numbers.  Approximately 400 Social Security numbers were listed in the attachment. The VA was promptly notified of the apparent email error and all affected veterans were offered identity theft protection services. All copies of the list were subsequently destroyed.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

VA Disability Claim Numbers are Formed from Social Security Numbers

 

The investigation conducted by News 3 revealed that this was not the first time Social Security numbers had been sent to unauthorized individuals by the VA. Reporters uncovered three other incidences of accidental disclosure of veterans’ Social Security numbers. The incidents dated back to June 2014. In those incidents, Social Security numbers were similarly sent to individuals who were not authorized to view the data.

Following the discovery, Sen. Ron Johnson (R-Wis.) wrote to the Assistant Secretary for Information and Technology at the VA. Sen. Johnson was concerned that the accidental disclosure was not an isolated incident, and was part of a much wider problem potentially affecting not only the Wisconsin VA, but also other state VA offices. It would appear that this is the case.

The sent to Everson in April actually contained disability claim numbers. These are the same as veterans’ Social Security numbers without the hyphens. VA security software does not require these numbers to be encrypted. Only Social Security numbers must be encrypted before being sent, even though they contain the same digits in the same sequence.

According to the News 3 report, if an individual within the Department of Veteran Affairs sends an email containing a sequence of 9 digits containing a hyphen between every third digit in the sequence, the email is blocked. The sender receives an automated email advising them that the message was not sent. That message informs the sender of the message that in order for the message to be delivered, they must “remove the SSN or encrypt the email.” Removing the hyphens would allow the message to bypass the filter.

Answers Demanded by Wisconsin Senators

 

In the letter, Sen. Johnson has demanded answers from the VA regarding the actions taken against employees who have inadvertently sent Social Security numbers and has questioned why the system does not prevent the transmission of the numbers via unencrypted mail.  Sen. Tammy Baldwin, (D-Wis.) also sent a similar letter demanding answers over the privacy breaches.

This is not the first time that the VA has been criticized for sending sensitive information via unencrypted mail. Sen. Johnson pointed out in his letter that the VA Inspector General similarly questioned the practice of sending emails containing Personally Identifiable Information via unencrypted mail in 2013.

According to the News 3 report, a spokesperson for the VA has said the department does not enforce encryption on all emails containing nine-digit numbers without hyphens, as this would result in too many false positives.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist