A regional office of the Veterans Affairs Department mishandled its patients’ personal data, leaving medical records, internal communications and other sensitive information accessible to thousands of unauthorized agency personnel, according to an internal watchdog.
According to the VA Inspector General, the agency’s Milwaukee regional office was storing personally identifiable information on its patients in two shared drives on the Veterans Benefits Administration’s enterprise network. The security lapse, first flagged by a whistleblower in September 2018, left the data exposed to more than 25,000 remote users across the country, many of whom had no need to access the information, auditors found.
The files stored on the network drives included “medical records, correspondence about medical examinations and disability claims decisions, and veterans’ statements in support of their claims,” the IG said, as well as patients’ names, addresses, birthdays and phone numbers. Some of the files dated back to 2016.
“The inadequate protection of sensitive personal information places veterans’ data at risk and could undermine the credibility of VBA and [veteran service organizations] in positions of trust,” they said in a report published Thursday. “Veterans should have confidence that their sensitive personal information is handled strictly in accordance with federal laws and VA regulations.”
Though the security lapse “did not meet the criteria for a data breach,” the IG said it did put the information “at unnecessary risk.” In the report, auditors didn’t specify how many veterans had their data exposed.
Investigators found the slip-up stemmed from a combination of user negligence, poor technical controls and insufficient oversight on behalf of the agency.
VA regulations require that employees responsible for patient information and agency systems work together to ensure personally i ..
Support the originator by clicking the read the rest link below.
