[BreachExchange] VA Exposes Sensitive Veteran Data to Thousands of Unauthorized Employees

[Destry Winant]

https://www.nextgov.com/cybersecurity/2019/10/va-exposes-sensitive-veteran-data-thousands-unauthorized-employees/160687/

A regional office of the Veterans Affairs Department mishandled its
patients’ personal data, leaving medical records, internal
communications and other sensitive information accessible to thousands
of unauthorized agency personnel, according to an internal watchdog.

According to the VA inspector general, the agency’s Milwaukee regional
office was storing personally identifiable information on its patients
in two shared drives on the Veterans Benefits Administration’s
enterprise network. The security lapse, first flagged by a
whistleblower in September 2018, left the data exposed to more than
25,000 remote users across the country, many of whom had no need to
access the information, auditors found.

The files stored on the network drives included “medical records,
correspondence about medical examinations and disability claims
decisions, and veterans’ statements in support of their claims,” the
IG said, as well as patients’ names, addresses, birthdays and phone
numbers. Some of the files dated back to 2016.

“The inadequate protection of sensitive personal information places
veterans’ data at risk and could undermine the credibility of VBA and
[veteran service organizations] in positions of trust,” they said in a
report published Thursday. “Veterans should have confidence that their
sensitive personal information is handled strictly in accordance with
federal laws and VA regulations.”

Though the security lapse “did not meet the criteria for a data
breach,” the IG said it did put the information “at unnecessary risk.”
In the report, auditors didn’t specify how many veterans had their
data exposed.

Investigators found the slip-up stemmed from a combination of user
negligence, poor technical controls and insufficient oversight on
behalf of the agency.

VA regulations require that employees responsible for patient
information and agency systems work together to ensure personally
identifiable information is kept secure. However, the agency has no
oversight policies to ensure users are following those rules, auditors
said, and there isn’t a process for checking network drives for
improperly stored data.

“Until VA officials take steps to guard against user negligence,
implement technical controls that prevent users from storing sensitive
personal information on shared network drives, and issue oversight
procedures to adequately monitor shared network drives, veterans’
sensitive personal information remains at risk,” auditors said.

The agency has since removed the data from its shared drives and put
in place technical restrictions to prevent such errors from happening
again in the future, a VA spokesperson told Nextgov.