Palo Alto VA IT Security Breach

Major Patient Privacy Breach Alleged At Palo Alto VA

Palo Alto VA IT Security Breach

Benjamin KrauseVA OIG just reported that Palo Alto VA Health Care System unlawfully gave patient data to a private IT company despite employees not having cleared background checks.

The watchdog investigated allegations that the Palo Alto VA informatics chief entered into an illegal agreement with a health care company called Kyron.

VA OIG confirmed allegations that the patient data was given to Kyron prior to its employees getting background checks. It also confirmed that patient data was loaded into the Kyron’s extraction software prior to receiving approval from VA information security officers.

@deptvetaffairs - please secure out data better!! Click to Tweet

VA OIG does claim all identifiable information was removed prior to it being shared with Kyron. OIG further indicated the allegations that the contract was illegal was unconfirmed.

I pasted the executive summary below. When you read it, I suggest reading it from the bottom up. The reason is because VA OIG almost always diminishes allegations by making negative comments at the beginning but then admitting all the failures later. When you read these reports starting from the recommendations, you do not get pulled into the semantic games… and believe me, there are many games going on with these reports.

DOWNLOAD: Full Palo Alto VA Health Care System Report

The VA OIG Palo Alto VA report summary reads:

Review of Alleged Data Sharing Violations at the Palo Alto VA Health Care System

In October 2014, the House Committee on Veterans’ Affairs provided the VA Office of Inspector General (OIG) a complainant’s allegation that the VA Palo Alto Health Care System (PAHCS) Chief of Informatics entered into an illegal agreement with Kyron, a health technology company, to allow data sharing of sensitive VA patient information. This allegation involved veterans’ personally identifiable information (PII), protected health information (PHI), and other sensitive information being vulnerable to increased risks of compromised confidentiality. Allegedly, sensitive VA patient information was transmitted outside of VA’s firewall. The complainant also alleged Kyron personnel received access to VA patient information through VA systems and networks without appropriate background investigations.

We did not substantiate the allegations that the Chief of Informatics formed an illegal agreement with Kyron or that sensitive patient information was transmitted outside of VA’s firewall. However, we substantiated the allegation that Kyron personnel received access to VA patient information without appropriate background investigations. We determined there was a signed agreement between PAHCS and Kyron and its personnel received access to de-identified VA patient information within VA’s information technology enterprise. The agreement allowed Kyron, as part of a pilot program, to test technical implementation of its extraction software on a VA server by transforming de-identified VA patient information into structured patient profiles. The profiles allowed search and query of patient interventions and outcomes in more timely and cost-effective ways and facilitated data mining that could potentially assist VA in improving the delivery of healthcare.

Based on our interviews, review of available documentation and relevant criteria, and our judgment, we determined the Chief of Informatics, who was also the local program manager for the pilot program, failed to ensure Kyron personnel met the appropriate background investigation requirements before granting access to VA patient information. The Chief of Informatics also failed to ensure Kyron personnel completed VA’s security and privacy awareness training. Further, the Information Security Officers (ISOs) failed to execute their required responsibilities in accordance with VA Handbook 6500, Information Security Program, by not providing PAHCS management and staff guidance on information security matters. More specifically, the ISOs did not coordinate, advise, and participate in the development and maintenance of system security documentation and system risk analysis prior to Kyron placing its software on a VA server. As a result, Kyron did not have formal authorization to operate its software on a VA server.

We concluded the lack of coordination between the Chief of Informatics and ISOs in executing the Kyron agreement potentially jeopardized the confidentiality of veteran’s PII, PHI, and other sensitive information. The Chief of Informatics admitted to proceeding with the pilot before obtaining documented support from the local ISOs. In addition, the PAHCS and regional ISOs failed to execute their required responsibilities in accordance with VA Handbook 6500. After the OIG informed PAHCS officials of the initial results in November 2014, they discontinued Kyron’s personnel access to VA de-identified patient information until Kyron’s personnel received VA completed background investigations, appropriate security, and privacy training.

However, given the nature and seriousness of sensitive veteran data being vulnerable to increased risks of compromised confidentiality, we recommended the VA Assistant Secretary for Information and Technology take immediate action to ensure the local and regional ISOs determine the appropriate security level for Kyron’s software and pilot program. We also recommended the VA Assistant Secretary for Information and Technology implement appropriate controls to ensure that unauthorized software is not procured or installed on VA networks without a formal risk assessment and approval to operate. We recommended the PAHCS management, in conjunction with VA’s Assistant Secretary for Information and Technology, ensure Kyron personnel receive commensurate background investigations and obtain the required information security documentation that authorizes Kyron’s software to operate.

Further, we recommended the PAHCS management, in conjunction with VA’s Assistant Secretary for Information and Technology, require Kyron personnel complete security awareness training and sign the Contractor Rules of Behavior to ensure full awareness of VA information security requirements when accessing VA systems and networks. The Assistant Secretary for Information and Technology concurred with our findings and recommendations and provided an appropriate action plan. We will follow up on the implementation of the corrective actions.

Source: https://www.federaltimes.com/story/government/it/2015/09/28/oig-palo-alto-va-gave-patient-info-company/72991040/

Similar Posts

16 Comments

  1. The real question is that, why are these people experimenting with software regarding veteran care and programs when the secretary , last year stated that the systems were to be combined into 1 universal program and with a sole source under MyVA. He stated this in many committee hearings regarding contracts and outdated scheduling programs. This was under his watch and why is Palto Alto excepted? Ridiculous!

    1. Right-on!!

      Also, who in their right mind, especially while the USA is STILL in a long ass series of wars, just hand-over Veteran Data BEFORE *any* background checks, let alone a real plan and agreement?

      The VAOIG seems to think they just need to shake hands, complete background checks, then give them back the Veteran files, and all is dandy.

      Every Veteran File has our Social Security Number. It’s at the very root of our enlistment and careers. You could not have given over more deeply rooted info to potential enemies!!! WTF?!!

      Just seems we keep getting pulled backwards.

    2. Corpsmanup, You will not find a Tier 3 medical facility in the world that only uses one “universal program”. To believe that there is a silver bullet application that performs all the clinical IT functions of a hospital is naive.

      I suspect Mr. McDonald was referring to a single Electronic Medical Record (EMR). Which is just that, a patient’s medical history, and other tools, such scheduling, billing and pharmacy, lab and x-Ray order entry. The fact that most EMR vendors have multiple product lines ISO indicative of the need for more than one system.

      It takes hundreds of applications to support a large medical facility. With that said, A quick lookup of Kyron shows that it it isn’t even a clinical application. It is a business application that scans medical records and uses natural language processing to link illnesses to outcomes. Or to put it simply, provide decision support tools to improve patient care.

      You’d have to provide the context of Mr. McDonald’s comments to be certain, but it does not appear that VA Palo Alto’s effort contradicts his promise.

      1. I know what you mean, but layman terms for a WWII, Korean War and Vietnam Era veteran would be the best approach, especially given that they have to make the veteran aware of 3rd party consent and disclosure of their protected information. Billing codes are gimmicks if the user inputting the codes cannot back up the data with physician approval. And we know the physicians are not reviewing their ICD 10 codes or the DSMV codes that usually are not in favor of the veteran. The timing of this debacle just conflicts what the Secretary states what he is doing , that’s all.

  2. Here’s something to ponder. If VA is going over to “online filing of claims”, or other things. Why would there be any reason for a Veterans Service Organization?
    IMO, they only want your money for membership…

    1. Bingo! When I firstly, years ago, read about quite a few stories and warnings about how ‘most’ VSO’s have placed a Vet’s file on or near their desk, to be found still there 6+ months later, and what VSO’s typically will not tell Veterans is…they will *only go so far*…and that’s to be determined by them. Bedfellows with the VA far from the inherent safety or relief ANY so-called “Advocacy Group” should be offering. I learned from so much of that and advice on hadit dot com, that was reason I decided to do it all by myself and yes, had a very Veteran Friendly State Senator light a few fires under them and Social Security.
      I am sure there are certainly exceptions and just like the VAHA, there’s great employees, but corruption tends to historically cause another stronger strain of corruption and that’s what has happened in this greed-based merit system the VA has people hanging from their marionette strings.
      Original concepts/models of great and exceptional intentions that mostly have lost their way and honestly, more notoriously known as cheesy bars operated under whichever Org. with insanely cheap drink prices. I never have been a drinker, and always have felt very once-removed from any benefits of these group and am often wary of referring a new vet friend or someone that is a spouse/survivor to them, when with the internet you can do strategic searches on hadit.dot com, as one of many places…even the Title 38 stuff…it’s of my belief many VSO’s only serve as a “boat launch and staging ground and HOLDING PATTERN” for any Veteran’s attempt at filing a claim.

      OT: After another reading of that VA OIG report, it indeed is contradictive in nature. Does not pass the sniff test. Even my cat is notably annoyed.

  3. Near Palo Alto VA is the Concord Vet Center, it once had a team leader named Denver Mill’s who completely dismantled what Vietnam Veterans in 1979 had pushed to have the Vet Center located in Concord, California he also destroyed records of Veterans Vietnam Veterans! The person that took his place Jeff Jewel was a lowly VSO in Solano County who destroyed hundred’s of Solano county Veterans and is rewarded by the system in placing him as the team leader of the Concord Vet Center. Both are cowards and just as the Veterans Administration bullies and short changes Veterans everyday! I see now, I have wasted my time and life as others have in trying to keep this Vet Center from being contaminated by those that just as soon see Vietnam Veterans be wiped off the VA roll’s! These coward’s have caused much pain but the powers to be let them keep on ticking and screwing up men and women seeking help! This has been as the carnage the VA is involved with has to stop but the Congressmen George Miller and Mike Thompson do nothing to assist the Veteran’s both men and women that have reached out to them!

  4. The VAOIG investigations which Ben reports are available to read by either subscribing to VAOIG emails or going to the VAOIG website.

    Having read most of the summaries and a few of the full reports, Ben is absolutely correct regarding the wording of these past two investigations and his subsequent posts. They usually end in, “we made (pick a number) of recommendations. The Director (of whoever) has concurred with our recommendations.

    These last two IG reports have taken a different tone. Especially after six years of the previous Assistant IG who never made recommendations for criminal action or placed blame squarely where it belongs.

    I just received a new IG report that concerns the VA where I go. It was found that the union employees were all being overpaid because they were shown assigned to one hospital (which is in metro NY area) and not the one where they work Cost in one year $600,000. How many years has it been going on? Many.

    While this was going on, this same VA was trying their best to screw with travel pay. At one point saying it was air miles and not driving miles. I complained and told them if it wasn’t corrected, I would contact the IG’s office. They corrected mine, but I wonder if there aren’t others who don’t know any better?

    By the way, this is the same hospital that has an outreach to hire recently released veteran felons. This report is regarding the departments they work in. The management should all become felons.

  5. Now with IT controlling medical data, ANY OR ALL INFO CAN BE DELETED, ALTERED, OR JUST DISAPPEAR, especially your medical condition or perhaps you will not be in the system at all and yes, that beats having to burn record buildings down. You can either have a medical condition or have a medical condition that was contrived by medical personnel or you won’t have one at all.
    It is all to just not provide medical care or other benefits or as little as possible. AND the DOD or it’s insurers will save more money. And that is what this is always about, saving money to spend on those who make sure you don’t get much of anything, which really belongs to you.

  6. This article contradicts itself and suggests the OIG report does the same (my next read). If the patient data is de-identified, it is not sensitive by definition. Yet there is this rant about sensitive data. Which is it? Was Personally identifiable information (PII), shared and used without proper controls or was the PII removed hence “de-identified” and thus non-sensitive data shared? And if it is not sensitive, what is the rub?

    This has all the appearance of hit-mongering (putting it politely). If the data was cleaned of PII, then go find something worthwhile to do. Let the VA movers and shakers try and get the VA out of the information technology stone-age.

    If, on the other hand, the data was not de-identified, then let the chips fall where they may, learn from the experience, don’t do it again.

    First take, de-identifed data and then we must question the motivation of the author (do we leave the hit on your dresser?)

  7. Morning to all.
    This morning I got in my email box from “Military dot com” something that pissed me off.
    It’s an article from the “Daily News”. The title is;

    “VFW: VA Turned ‘Blind Eye’ to Insurer Profiteering Off Survivors”
    Sep 30, 2015
    by Bryant Jordan

    It concerns the VA (of course) and Prudential Insurance Co.
    I’m not going to put a lot of quotes on. Because this is even too damn low, even for VA.
    I’ve said this before, and I will say it again, “VA’s House of cards IS crumbling!” There’s no stopping it. For the past few months, VA has had more negative articles come out than in the past year. They are NOT learning. The veteran community and the TAXPAYERS are fed up. They know there’s criminal activity taking place, and they want the “Arm of the Law” to come crashing down on them. McDonald has done nothing to correct this system. All he has done is LIE!
    So, I hope y’all google this article…..

  8. 09/30/2015

    Dear Benjamin Krause,

    “In October 2014, the House Committee on Veterans’ Affairs provided the VA Office of Inspector General (OIG) a complainant’s allegation that the VA Palo Alto Health Care System (PAHCS) Chief of Informatics entered into an illegal agreement with Kyron, a health technology company, to allow data sharing of sensitive VA patient information.”=== https://www.va.gov/oig/pubs/VAOIG-14-04945-413.pdf

    “This allegation involved veterans’ personally identifiable information (PII), protected health information (PHI), and other sensitive information being vulnerable to increased risks of compromised confidentiality. Allegedly, sensitive VA patient information was transmitted outside of VA’s firewall. The complainant also alleged Kyron personnel received access to VA patient information through VA systems and networks without appropriate background investigations.”

    “Based on our interviews, review of available documentation and relevant criteria, and our judgment, we determined the Chief of Informatics, who was also the local program manager for the pilot program, failed to ensure Kyron personnel met the appropriate background investigation requirements before granting access to VA patient information. The Chief of Informatics also failed to ensure Kyron personnel completed VA’s security and privacy awareness training. Further, the Information Security Officers (ISOs) failed to execute their required responsibilities in accordance with VA Handbook 6500, Information Security Program, by not providing PAHCS management and staff guidance on information security matters. More specifically, the ISOs did not coordinate, advise, and participate in the development and maintenance of system security documentation and system risk analysis prior to Kyron placing its software on a VA server. As a result, Kyron did not have formal authorization to operate its software on a VA server.”

    “…Kyron specializes in the development of software that mines clinical information.”
    “Kyron’s technical approach is consistent with current developments in optimizing health care outcomes using statistics and information technology.”

    Who is Kyron’s personnel? [Louis Monier Founder and CEO and Jacob Reider, MD Chief Strategy Officer (HHS)]

    “About Kyron
    Kyron is a stealth startup whose mission is to enable personalized medicine through deep analysis of medical data with advanced machine learning. Kyron was founded in mid-2013 and received seed funding from Khosla Ventures. It has assembled a world-class team of software architects, physicians, informaticians, machine learning gurus, health IT veterans and health policy experts. For additional information, please visit https://kyron.com/”

    The Kyron’s actions was pure arrogance against the law and to the ethics of Medicine.

  9. What I forgot to add was when I mentioned how often that report fully spelled out job titles in a corporate way, it made absolutely no sense then, at the second page or so there’s a chart of ACRONYMS for each of -6- terms, and only the VA name is abiding by this otherwise chart.

    Lastly, do not you just love how they use “aledged [insert scandal]”? PsyOPs to instill doubt and then long-winded taunting, at best, about how this contract should have actually BEEN a “contract” with an actual “plan” before handing over $$$ and giving them our damn personal info…de-identified, whatever…still careless.

    See, this is my worry with going all electronic records. And no, I am not against technology nor a technophobe, it’s just simply NOW much easier to simply say POOF, sorry, instead of the St. Louis Fire, we NOW just say your data went POOF…back to very end of process, new date…it’s not paranoia, it’s a valid concern.
    Perhaps the DOD would do a better job with all things IT for the VA.

    Rant over. Full Moon.

  10. “[…they discontinued Kyron’s personnel access to VA de-identified patient information until Kyron’s personnel received VA completed background investigations, appropriate security, and privacy training.]”

    Reading the complete document made my brain seriously hurt. In the short quote, what THE HELL is “VA de-identified patient information”?!!?!
    Is that the ‘legaleze’ way of trying to twist it to sound as if Veteran’s info was never exposed in first place since, after all, the VA “de-identified” all data before realizing there was…what problem again…?!

    That document the VA OIG wrote is a complete mess and thanks, Ben, you are correct in that reading from end to start helps the brain be only slightly immune to whatever Disney-fication Spell was placed on that sorry excuse for the VA’s blatant ignorance.

    I also must note, just look how *many times* they bother to completely write out Titles/Job Positions. It’s like an 8th grader trying to sheet on a paper by inserting 500% filler words to the point of when reading from very start to finish on full document, it seriously makes your brain hurt.

    Kyron sounds WAY too much like CYLON. Did the VA hire a bunch of nerds still living in moma’s basements eating hot pockets being shot down laundry shoot?

    Somehow I think this data breach was a bit worse than the bandaid the VA OIG is placing on it.

Comments are closed.