VA mishandled veterans’ personal data
November 11, 2019
A new report from the Office of the Inspector General determined that the Department of Veterans Affairs (VA) mishandled sensitive data about veterans and potentially left them vulnerable to fraud and identity theft. Personal information about veterans were stored on two shared network drives and could have been remotely accessible by anyone with authorization to view them, no matter what their need to do so.
The issue was first reported by a veteran service organization officer who discovered that the medical records of veterans on the drive were linked to their names, Social Security numbers, dates of birth and other identifying information. Also linked was in-depth medical information, such as VA disability decisions, examination reports and statements on VA disability claims.
An estimated 25,000 people would have had the credentials necessary to access the information, including individuals working with veteran service organizations that assist with VA disability claims, such as the American Legion, Veterans of Foreign Wars, Paralyzed Veterans of America and others.
It was not clear why the information was mishandled, but the Office of the Inspector General report suggested three possibilities: user negligence, whether intentional or not, the absence of technical safeguards preventing such a mistake and a lack of oversight.
There are strict VA regulations, in accordance with federal law, regarding the way veteran information is stored and this incident is a major violation of that. However, because this was not considered a true data breach, the veterans who were potentially left vulnerable to identity theft and fraud were not required to be notified, nor were they offered credit monitoring services from the VA.
The information was safely secured after the report was made and the VA says that veterans do not need to worry. The Office of the Inspector General recommended that VA staff who handle sensitive personal information be trained on safe storage practices and that new oversight procedures are implemented to prevent similar incidents in the future.