An IG report confirmed allegations into privacy rule violations that led to over 25,000 “remote access users” having improper access to an undisclosed number of veterans’ sensitive personal information in 2016 that went unreported by IG until 2019.
The IG report concluded VA engaged in a massive privacy rule violation. But, IG conveniently relied on the agency’s own internal data breach investigation that allows the agency to evade any notice requirements of the breach. Veterans affected will not be informed. And, the agency concluded it does not need to notify the Department of Health and Human Services of any potential HIPAA violations.
Just before the IG released its report, the Veterans Benefits Administration issued a new Privacy Act policy dated September 27, 2019. Whatever is going on with this report, and the underlying security violation, I can assure all readers there is more to the story.
<< Probably a massive HIPAA violation that VA failed to report to DHHS >>
Who Done It
So, let me give you some context.
An employee of a veterans service organization (VSO) at the Milwaukee VA Regional Office submitted an allegation that veterans’ sensitive personal information was stored on shared drives that could have allowed unlawful or improper access by 25,000 VA employees and veteran service organization employees.
The unsecured sensitive personal information (SPI), including protected health information (PHI) and personally identifiable information (PII) was left on two shared drives at Milwaukee VA Regional Office (VARO). Local and national users who should not have had access could have accessed records improperly and without the consent of the veterans impacted.
The report stops short of disclosing how many veterans were impacted by the potential data breach, and it also does not address how many unauthorized individuals accessed the protected information.
IG substantiated the allegations but did not challenge VA’s internal conclusion that no data breach occurred. Apparently, the allegation on its face failed to allege further allegations warranting a deeper investigation, and IG seemingly stopped short of going full monty.
Is this a case of the fox guarding the henhouse again?
The poor handling of veteran data occurred because according to IG:
- User negligence in storing sensitive personal information on shared drives;
- Due to a lack of technical safeguards to prevent inappropriate storage;
- Inadequate oversight to ensure compliance with agency rules.
Employees of veteran services organizations and 25,000 VA personal could have accessed the information unlawfully due to the mishandling. VA is only allowed to provide access to veterans’ PHI and PII when the individual is given appropriate access.
A few things jumped out to me about this investigation, but one, in particular, warranted noting. Now, the problem here related to improper sharing of veterans’ sensitive personal information on computer servers and network CITRIX virtual network solutions.
But, and get this, in the investigation, “The OIG team did no use computer-processed data.”
So, how did IG evaluate whether a data breach occurred using standard forensic computing tools? Instead, it sounds like IG solely relied on testimonial evidence without analyzing the underlying evidence.
The agency avoided any requirement to file a HIPAA violation notice with the Department of Health and Human Services by using its internal investigation team to evaluate.
Putting It Into Perspective
I tried out the VA methodology on my 17-year-old daughter.
Me to Daughter, “I have heard from a third party you did not do your homework. I ask that you investigate whether you did your homework, and I will not check with the third party to see if you, in fact, turned in your homework. Can you tell me what you find out?”
My daughter was very confused about the question, and she did not know how to respond because of how stupid the question was.
That is how the IG report reads when you consider the data breach question was not evaluated by IG but simply assumed by the agency’s own internal investigation.
We are so stupid for continuing to allow VA, the most corrupt agency in the Cabinet, to investigate itself and then relay the findings of its own investigation, without question, to its own crack IG.
We deserve what we get if we do not reign in this idiocy that allows corruption to fester. We have no one but Congress to thank for the continued corruption.
Inadequate Protection Of Sensitive Personal Information
IG concluded the problem was the result of inadequate protection of PHI and PII. However, they seemingly accepted whole cloth VA’s internal investigation as to whether a data breach even occurred.
How about that? Why does IG accept the agency’s conclusions without addressing the internal findings of the agency? Is this a convenient way for the agency to whitewash wrongdoing?
The IG report concludes provides the following conclusion:
Failing to secure sensitive personal information could result in avoidable VA expenses. If VA’s Data Breach Response Service had determined that the unsecured data resulted in a reportable breach, VA would have been required to notify the subjects and offer them credit protection services. Although VA’s Data Breach Response Service determined that the event did not meet the criteria for a data breach and therefore did not require notifications, the data were put at unnecessary risk. This determination of the lack of a specific breach notwithstanding, VBA and the OIT must provide adequate training, establish appropriate controls, and develop oversight protocols to help prevent improper disclosures and future breach incidents.
So, VA concluded the data breach did not happen, and IG accepted the finding. If VA concluded a breach occurred, VA would have been required to submit notice to the Department of Health and Human Services as well as the veterans affected.
VA Data Breach Protocol
IG appears to have relied on a determination by VA’s Data Breach Response Service to conclude no data breach occurred that would require notifications to veterans impacted. According to the report:
Although VA’s Data Breach Response Service determined that the storing of sensitive personal information on the shared network drives did not meet the criteria for a data breach and did not require notifications, it is important that VA improves its controls and oversight to mitigate future risk.
In light of current risks with VA automatically sharing our health information with third party Health Information Exchanges without consent, veterans need to pay close attention to how VA treats matters like this.
When addressing possible breaches, the agency supposedly follows its VA Handbook 6500.2, Management of Breaches Involving Sensitive Personal Information. The IG report highlights the following summary:
The term “breach” means the potential acquisition, access, use, or disclosure of VA sensitive personal information in a manner not permitted by law or VA policy which compromises the security or privacy of the information. A breach excludes the unintentional acquisition, access, or use of sensitive personal information by a VA workforce member that does not result in the further use or disclosure in a manner not permitted by law or VA policy, or when there is a low probability the information has been compromised.
What We Know
Based on what we know from the four corners of the report, it seems safe to infer more happened than IG is letting on.
The repeated references to the agency’s own data breach protocol and conclusion that no breach occurred leads me to believe a data breach did occur, but the agency did not speak directly with the whistleblower or others with direct knowledge who would have confirmed a breach did occur.
Let’s not forget VA now wants to share all of our Health Information with third parties without consent. That decision to share out information without consent came out just two weeks prior to the instant IG report with an effective date of September 30, 2019.
Call To Action
I am calling on all my readers who are cyber sleuths.
Please take a close look at HIPAA, Privacy Act, agency directives, and handbooks that may be implicated in this particular violation.
Why would VA give access to VSOs illegally and not check in to see what is going on?
Who is against who and what does each party want? In this context, VSOs were given access to veterans’ PII and PHI without consent from the veteran. The breach allowed access remotely.
Who would benefit from remote access to VSOs of veterans PII and PHI who otherwise did not grant those same VSOs access to their records?
Was this a backchannel to allow VSOs to conduct off-the-books data gathering that would not be trackable through normal means?
VSOs are noted within the report as signing Rules of Behavior agreements with VA to get access to the agency’s CITRIX system that applies only to VA employees and government contractors.
Are VSOs actually government contractors? Why would they sign such a contract? Does the contract compromise representation independence, if any existed to being with?
Does the IG report provide enough information for any disabled veteran to submit a complaint to DHHS for HIPAA violations even though VA concluded it is not required to notify the veteran or DHHS?
Read VA Handbook 6500.2 linked above. Are there any scenarios where VA errs in the application of its matrix where the agency is required to disclose under HIPAA laws but the matrix says no disclosure is required.
Should VA apply Matrix 2 (pg 31) or Matrix 5 (pg 37) or Matrix 6 (pg 39)?