According to the findings of a recent Department of Veterans’ Affairs (VA) Office of Inspector General (OIG) audit, Internal VA communications, disability claims, and protected health information (PHI) of thousands of veterans have been exposed, allowing for the information to be accessed by VA employees unauthorized to view it. The VA data breach came to light after the VA OIG conducted an audit of the Milwaukee Regional Office, following a 2018 tipoff by a whistleblower. The VA PHI left exposed included information such as veterans’ names, addresses, dates of birth, contact telephone numbers, disability claims information, and other highly sensitive and confidential information
How Was the VA PHI Left Exposed?
 The VA OIG discovered that VA PHI was left exposed, as follows: Responding to the whistleblower’s claim, the VA OIG visited the Milwaukee office in 2019, and, after conducting an audit, confirmed that sensitive information, including electronic protected health information (ePHI) had been stored on 2 VA Enterprise network drives. The OIG confirmed that the electronic protected health information was capable of being accessed by veterans service organization (VSO) officers, even if those officers did not represent veterans to whom the PHI pertained.
The auditors determined that any Veterans Benefits Administration (VBA) employee working for the VA who was authorized to remotely access the VA network, could have accessed the network drives. Such employees included employees who had no job-related reason (i.e., were not authorized) to access the information. The auditors determined approximately 25,000 such employees had access ability.
Both HIPAA and the VA’s own policies and procedures, require restriction of access to authorized persons. The HIPAA Security Rule requires entities to implement administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of ePHI.Â
The auditors attributed the privacy breach in this case to three particular failures:Â
- Knowing or inadvertent negligence by VBA staff who stored sensitive information on the network drives in violation of VA policies;Â
- Insufficient technical controls to prevent such individuals from using the network drives to store sensitive information; and
- An overall lack of oversight that resulted in failure to identify sensitive information stored on the drives.
In response to the audit findings, the VA OIG recommended that appropriate VA officers provide remedial training to users on how to properly handle and store PHI on shared network drives. The OIG also recommended implementation of technical controls to ensure ePHI cannot be stored on shared network drives.Â