New estimates show VA officials knowingly released personally identifiable information (PII) including Social Security numbers of millions of people since 2016.
The whole privacy violation started with VA’s Veterans Benefits Administration (VBA) looking out for its own interests rather than following the letter and spirit of the Privacy Act. To process more Privacy Act requests more quickly, VA decided to stop redacting third-party private information since May 2016.
“VBA officials made the decision to stop redacting information that was purposely included in claims files, despite the inherent risks of disclosing third-party [personally identifiable information] in service records,” they said in a report published last week. “The OIG contends that the [policy] could place VBA at legal risk of penalties for Privacy Act violations based on other more recent case law.”
And for what?
The policy was aimed at increasing efficiency when processing privacy requests, but the numbers did not see a significant increase despite the illegal policy. You can read more on the justification of the policy in italics at the bottom.
Very… interesting… read.
This report came out after another 2016 foible where IG confirmed VA improperly allowed access to thousands if not millions of veterans records by over 25,000 VA personnel. There, the method of sharing was a shared network drive without adequate security in place, nationwide.
Here, the records containing PII were shared without sufficient review to prevent the sharing of third party PII opening the door to identity theft and other forms of financial crimes.
Millions Of PII Likely Illegally Shared
The IG audit sampled 30 claims requests and found more than 1,000 unredacted names and Social Security numbers of third-parties that previously would have been redacted. Since 2016, over 379,000 requests were processed suggesting millions of individuals had their PII shared.
The news outlet NextGov places the total number of individuals impacted by the policy into the millions.
The agency’s Privacy Service director claimed she did not know about the policy but admitted it “was not appropriate and anyone who reads it would question it based on common sense, even if he or she was not a privacy expert.”
Lawrence Supported It Until He Didn’t
VBA Undersecretary for Benefits Paul Lawrence, PhD, disagreed with initial recommendation from IG to stop the practice in December 2018. However, by June the agency realized the practice must cease and promised to stop it by October.
The agency changed its policies on September 27, 2019, which included information
VHA Headed In Wrong Direction
VHA decided it would automatically opt-in veterans into its Veterans Health Information Exchange, a program that is run by a third party, without consent.
There, over 23.5 million veterans, deceased and living, will be impacted unless they manually opt out using the agency’s prescribed form: VA Form 10-10164. While this form purports to be an opt-out form, it actually serves as an express opt-in form in the event of emergencies.
The VHA is presently under litigation with Military Veterans Advocacy over its newest privacy foibles.
As for VBA, the agency is supposedly working hard to increase transparency.
“VA is committed to providing veterans prompt access to their claim records increasing transparency and improving customer service,” Secretary Robert Wilkie said in a statement. “It’s imperative that we protect files containing sensitive and personal information.”
The rationale of the policy is important to highlight. I provide that here in italics for readers to understand how VBA sometimes digs for justification to support whatever outcome they want.
Basically, by pushing this supposed change in the name of transparency, VA was able to shave off a lot of time when reviewing every page of every records release, effectively costing less and improving numbers.
From The IG Report:
OIG Recommendation: We recommend you immediately suspend VBA’s current release policy and reevaluate VBA’s Privacy Act request program.
VBA Response: Non-concur. VBA’s policy for releasing benefit claim records in response to Veterans’ and survivors’ requests under the Privacy Act is based upon a thorough assessment of their need for timely and complete access to these records. VBA issued the policy in VBA Letter 20-16-01 after an extensive legal review by the VA Office of the General Counsel (OGC) and approval by the VA Deputy Secretary.
Question 1: What was the reason for VBA’s new PA release policy?
VBA Response: See the Background section of VBA Letter 20-16-01, which provides the complete rationale for the policy. Specifically, “principles of transparency and accountability demand that Veterans and their surviving spouse-claimants enjoy unfettered access to the information relied upon by VBA to decide their claims. Moreover, a policy of prompt and complete access is consistent with relevant legal authority.” In this section of the letter, VBA also noted that the policy supported VBA’s strategic plan and the modernization elements of the VA’s transformational plan, such as “affording Veterans and their surviving spouse-claimants online access to their claim records.” VBA concluded, “providing Veterans and their surviving spouse-claimants prompt access to their complete claim records is critical to increase transparency and improve customer service” consistent with these plans.
Question 2: Who was involved in the creation and implementation of the new policy?
- Sloan Gibson, former VA Deputy Secretary
- Danny G.I. Pummill, former Acting Under Secretary for Benefits
- David McLenachen, Director, Appeals Management Office, VBA (former Deputy Under Secretary for Disability Assistance)
- Robert Waltemeyer, Chief Learning Officer (former Director, Office of Management, VBA)
Question 3: Was the VA Office of General Counsel consulted prior to the distribution of VBA Letter 20-16-01? If so, what guidance did they provide?
VBA Response: Yes. VBA did not take this change of policy lightly and collaborated extensively with OGC leadership, to include:
- Leigh Bradley, former General Counsel
- Tammy Kennedy, Chief Counsel, OGC (former Principal Deputy General Counsel)
- Richard Hipolit, Acting General Counsel
OGC advised that there are two lines of legal authority applicable to the issue of redacting Veterans’ claim records prior to releasing them under the Privacy Act, and that OGC could defend a policy choice based upon either of these approaches subject to an exception for law enforcement investigative reports that may be contained in a Veteran’s claims record. One approach, represented by the Court’s opinion in Voelker v. IRS, 646 F.2d 332, 333-35 (8th Cir. 1981), recognizes a claimant’s absolute right of access to a record maintained by the Government if an agency used the information in the record to decide a claim. As stated in VBA Letter 20-16-01, VBA’s policy is based upon the Court’s holding in Voelker. On August 27, 2015, OGC completed its review of VBA’s draft letter, and subject to certain tracked changes and comments, which VBA addressed in the final version of the letter, OGC had no legal objection to VBA’s policy. See the attached email from Leigh Bradley to David McLenachen and the accompanying word document with OGC’s tracked changes and comments.
In February 2016, VBA and OGC briefed the VA Deputy Secretary on VBA’s proposed policy. See the attached PowerPoint presentation. The Deputy Secretary approved the policy after the briefing.
OIG correctly notes that there are lower court cases that VBA could have used to support a different policy, specifically continuing the policy of conducting a page-by-page review of claim records for purposes of redacting third-party information. However, VBA did not choose that policy as it was inconsistent with VA’s Veteran-centric goals of improving transparency and customer service.
Now, I generally agree that a veteran should have unfettered access to their records, but the sharing of a Social Security number of someone else should not happen.
The next steps we need to be watchful over is how far VA will now push this policy to not only slow down Privacy Act requests but also to obfuscate parts of records necessary for a veteran to fight for their claim.
Will VA redact the names of VA examiners?
How about the names of possible witnesses in reports who could help a veteran document an injury?
Is litigation a fix? Maybe, but the vast majority of victims have not been informed that their information was illegally shared.