The sensitive information of some veterans was stored unprotected on a national, shared Department of Veterans Affairs network, leaving that data accessible to any VA workers authorized users, according to the agency’s inspector general.
In an investigation, spurred by a hotline complaint, the inspector general found that “veterans’ PII [personally identifiable information] and PHI [personal health information] were stored on two shared network drives that were also accessible to VSO [veterans service organization] officers who did not represent those veterans” and who should not have been able to access that information “without written permission or a business need.”
VA workers at a regional office in Milwaukee are alleged to have negligently put the information of a number of veterans who visited that location on national networks that are used to “to assist veterans with filing VA disability claims through the Veterans Benefits Management System.”
In January 2019, the IG conducted a site visit during which it viewed firsthand the unprotected information, which it says dates as far back to 2016. The information included “medical records, correspondence about medical examinations and disability claims decisions, and veterans’ statements in support of their claims. The files contained a variety of sensitive veteran information including names, addresses, dates of birth, and phone numbers,” the report says. It didn’t say how many veterans’ information was included.
Though the IG found the incident didn’t fit the criteria for a data breach, it did characterize it as a negligent mishandling of veterans’ sensitive information that put them at risk.
“[A]ny VBA [Veterans Benefits Administration] user with permission to access VA’s network remotely would have had access to the shared drives hosting veterans’ sensitive personal information,” the report says. “IT operations personnel stated that approximately 25,000 remote access users could have accessed the shared network drives.”
The IG pointed to user negligence, a lack of access controls and poor oversight as the causes of the incident and recommended that the VA work to correct those issues.
“Until VA officials take steps to guard against user negligence, implement technical controls that prevent users from storing sensitive personal information on shared network drives, and issue oversight procedures to adequately monitor shared network drives, veterans’ sensitive personal information remains at risk,” the report says.
According to the report, the VA Data Breach Response Service in March declared “that all PII and PHI located on the shared drives had been removed and only one shared folder remained open for users as it was necessary to maintain working conditions.”