A 2013 internal Department of Veterans Affairs security risk assessment of the department’s main electronic health record system warned a data breach was “practically unavoidable.”
The heavily redacted assessment of the Veterans Health Information Systems and Technology Architecture, or VistA, first reported by CNBC and obtained by FedScoop, warned “the VA cannot ensure the safety and privacy of veteran and employee health care, benefits and financial information.”
VA, the assessment states, “is noncompliant with its own privacy and security policies and with federal laws and regulations,” such as the Health Insurance Portability and Accountability Act, known as HIPAA, and the Federal Information Security Management Act, or FISMA.
“It is practically unavoidable that a data breach to financial, medical and personal veteran and employee protected information may occur within the next 12 to 18 months,” the report states.
A VA spokesperson told CNBC the document was an internal draft memo and contained inaccurate information that has since been rescinded and corrected.
FedScoop contacted VA for an updated response, but the agency could not respond by press time.
An official on Capitol Hill, who spoke to FedScoop on condition of anonymity, said lawmakers want clarification.
“Right now, it’s incumbent upon VA to clarify what specific portions of the report were inaccurate and what changes have been made,” the source said. “Is a data breach to financial, medical and personal information ‘practically unavoidable’ as the report states? If not, how likely is it?”