VA OIG: Records of Thousands of Veterans Exposed to 25,000 VA Employees via Shared Network Drives

Internal Department of Veteran Affairs (VA) communications, disability claims, and the health information of thousands of veterans have been exposed and could be accessed by VA employees authorized to view the information, according to the findings of a Department of Veteran Affairs’ Office of Inspector General (VA OIG) audit.

VA OIG conducted an audit of the VA’s Milwaukee Regional Office following a tipoff by a whistleblower in September 2018 about the exposure of sensitive information on shared network drives, which the whistleblower claimed could be accessed by employees unauthorized to view the information.

VA OIG audit visited the Milwaukee offices in January 2019 and confirmed that sensitive information had been stored on two shared network drives on the VA Enterprise network, which could be accessed by veterans service organization (VSO) officers, even if those officers did not represent those veterans.

The auditors determined that any Veterans Benefits Administration employee who had permission to access the VA network remotely could have accessed the files stored on the shared drives. That means around 25,000 VBA employees could have accessed the drives.

The files stored on those drives contained information such as veterans’ names, addresses, dates of birth, contact telephone numbers, disability claims information, and other highly sensitive and confidential information. Some of the files on the network drives dated back to 2016. VA OIG did not disclose how many veterans have been affected by the security lapse.

The failure to restrict access to the records was a violation of HIPAA and the VA’s policies, which require administrative, technical, and physical safeguards to be implemented to protect the privacy of veterans. The exposure of data was not limited the Milwaukee regional office and was therefore classed as a national issue.

The privacy breach was attributed to failures in three areas: Knowing or inadvertent negligence by VBA staff who stored sensitive information on the network drives in violation of VA policies; a lack of technical controls to prevent “negligent individuals” from using the drives to store sensitive information, and a lack of oversight, which meant sensitive information stored on the drives was not identified and removed.

Because the information was only accessible internally, the VA’s Data Breach Response Service did not class the exposure as a data breach and notifications to veterans whose privacy has potentially been violated were not warranted because their data was not placed “at unnecessary risk.”

VA OIG said in the report “Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information. This has the potential to expose veterans to fraud and identity theft.”

VA OIG has recommended the assistant secretary for information and technology and the undersecretary for benefits provide remedial training to users on the correct handling of sensitive information and storage of information on shared network drives. VA OIG also recommended technical controls should be implemented to ensure that the sensitive information of veterans cannot be stored on shared network drives.  Oversight procedures are also required to ensure any failures by VA staff to abide by federal laws and VA policies are identified and corrected.

“Until VA officials take steps to guard against user negligence, implement technical controls that prevent users from storing sensitive personal information on shared network drives, and issue oversight procedures to adequately monitor shared network drives, veterans’ sensitive personal information remains at risk,” said the VA OIG in the report.

The assistant secretary for information and technology concurred with the recommendations.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.