HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Answers Demanded From Dept. Veteran Affairs After Social Security Numbers Exposed

The Department of Veteran Affairs (VA) has come under the spotlight again following an investigation conducted by News 3 reporters into a privacy breach that exposed the Social Security numbers of numerous veterans.

The investigation revealed that veterans’ Social Security numbers had been sent via unencrypted email on a number of occasions, violating the privacy of veterans in addition to breaching federal regulations. The news report has prompted two Wisconsin senators to demand answers over the privacy breaches.  

The News 3 investigation concerned a privacy incident that occurred in April of this year. An employee of the Wisconsin Department of Veteran Affairs was discovered to have emailed hundreds of Social Security numbers to an individual who was not authorized to receive the data.

The email in question was sent to Mr. Terry Everson, a Wisconsin veteran, on April 1. Upon opening the attachment, Everson saw a list of unhyphenated nine digit numbers.  Approximately 400 Social Security numbers were listed in the attachment. The VA was promptly notified of the apparent email error and all affected veterans were offered identity theft protection services. All copies of the list were subsequently destroyed.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

VA Disability Claim Numbers are Formed from Social Security Numbers


The investigation conducted by News 3 revealed that this was not the first time Social Security numbers had been sent to unauthorized individuals by the VA. Reporters uncovered three other incidences of accidental disclosure of veterans’ Social Security numbers. The incidents dated back to June 2014. In those incidents, Social Security numbers were similarly sent to individuals who were not authorized to view the data.

Following the discovery, Sen. Ron Johnson (R-Wis.) wrote to the Assistant Secretary for Information and Technology at the VA. Sen. Johnson was concerned that the accidental disclosure was not an isolated incident, and was part of a much wider problem potentially affecting not only the Wisconsin VA, but also other state VA offices. It would appear that this is the case.

The sent to Everson in April actually contained disability claim numbers. These are the same as veterans’ Social Security numbers without the hyphens. VA security software does not require these numbers to be encrypted. Only Social Security numbers must be encrypted before being sent, even though they contain the same digits in the same sequence.

According to the News 3 report, if an individual within the Department of Veteran Affairs sends an email containing a sequence of 9 digits containing a hyphen between every third digit in the sequence, the email is blocked. The sender receives an automated email advising them that the message was not sent. That message informs the sender of the message that in order for the message to be delivered, they must “remove the SSN or encrypt the email.” Removing the hyphens would allow the message to bypass the filter.

Answers Demanded by Wisconsin Senators


In the letter, Sen. Johnson has demanded answers from the VA regarding the actions taken against employees who have inadvertently sent Social Security numbers and has questioned why the system does not prevent the transmission of the numbers via unencrypted mail.  Sen. Tammy Baldwin, (D-Wis.) also sent a similar letter demanding answers over the privacy breaches.

This is not the first time that the VA has been criticized for sending sensitive information via unencrypted mail. Sen. Johnson pointed out in his letter that the VA Inspector General similarly questioned the practice of sending emails containing Personally Identifiable Information via unencrypted mail in 2013.

According to the News 3 report, a spokesperson for the VA has said the department does not enforce encryption on all emails containing nine-digit numbers without hyphens, as this would result in too many false positives.

The full news report can be found on this link.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.