VA Knowingly Violated Privacy Rights Of Millions Since 2016
New estimates show VA officials knowingly released personally identifiable information (PII) including Social Security numbers of millions of people since 2016.
The whole privacy violation started with VA’s Veterans Benefits Administration (VBA) looking out for its own interests rather than following the letter and spirit of the Privacy Act. To process more Privacy Act requests more quickly, VA decided to stop redacting third-party private information since May 2016.
“VBA officials made the decision to stop redacting information that was purposely included in claims files, despite the inherent risks of disclosing third-party [personally identifiable information] in service records,” they said in a report published last week. “The OIG contends that the [policy] could place VBA at legal risk of penalties for Privacy Act violations based on other more recent case law.”
And for what?
The policy was aimed at increasing efficiency when processing privacy requests, but the numbers did not see a significant increase despite the illegal policy. You can read more on the justification of the policy in italics at the bottom.
Very… interesting… read.
This report came out after another 2016 foible where IG confirmed VA improperly allowed access to thousands if not millions of veterans records by over 25,000 VA personnel. There, the method of sharing was a shared network drive without adequate security in place, nationwide.
RELATED: Sharing Of Veteran Data On Shared Drive
Here, the records containing PII were shared without sufficient review to prevent the sharing of third party PII opening the door to identity theft and other forms of financial crimes.
Millions Of PII Likely Illegally Shared
The IG audit sampled 30 claims requests and found more than 1,000 unredacted names and Social Security numbers of third-parties that previously would have been redacted. Since 2016, over 379,000 requests were processed suggesting millions of individuals had their PII shared.
The news outlet NextGov places the total number of individuals impacted by the policy into the millions.
The agency’s Privacy Service director claimed she did not know about the policy but admitted it “was not appropriate and anyone who reads it would question it based on common sense, even if he or she was not a privacy expert.”
Lawrence Supported It Until He Didn’t
VBA Undersecretary for Benefits Paul Lawrence, PhD, disagreed with initial recommendation from IG to stop the practice in December 2018. However, by June the agency realized the practice must cease and promised to stop it by October.
The agency changed its policies on September 27, 2019, which included information
The change came at the same time Veterans Health Administration rolled out its own privacy policy changes except in the opposite direction.
VHA Headed In Wrong Direction
VHA decided it would automatically opt-in veterans into its Veterans Health Information Exchange, a program that is run by a third party, without consent.
There, over 23.5 million veterans, deceased and living, will be impacted unless they manually opt out using the agency’s prescribed form: VA Form 10-10164. While this form purports to be an opt-out form, it actually serves as an express opt-in form in the event of emergencies.
The VHA is presently under litigation with Military Veterans Advocacy over its newest privacy foibles.
Transparency?
As for VBA, the agency is supposedly working hard to increase transparency.
“VA is committed to providing veterans prompt access to their claim records increasing transparency and improving customer service,” Secretary Robert Wilkie said in a statement. “It’s imperative that we protect files containing sensitive and personal information.”
The rationale of the policy is important to highlight. I provide that here in italics for readers to understand how VBA sometimes digs for justification to support whatever outcome they want.
Basically, by pushing this supposed change in the name of transparency, VA was able to shave off a lot of time when reviewing every page of every records release, effectively costing less and improving numbers.
From The IG Report:
OIG Recommendation: We recommend you immediately suspend VBA’s current release policy and reevaluate VBA’s Privacy Act request program.
VBA Response: Non-concur. VBA’s policy for releasing benefit claim records in response to Veterans’ and survivors’ requests under the Privacy Act is based upon a thorough assessment of their need for timely and complete access to these records. VBA issued the policy in VBA Letter 20-16-01 after an extensive legal review by the VA Office of the General Counsel (OGC) and approval by the VA Deputy Secretary.
Question 1: What was the reason for VBA’s new PA release policy?
VBA Response: See the Background section of VBA Letter 20-16-01, which provides the complete rationale for the policy. Specifically, “principles of transparency and accountability demand that Veterans and their surviving spouse-claimants enjoy unfettered access to the information relied upon by VBA to decide their claims. Moreover, a policy of prompt and complete access is consistent with relevant legal authority.” In this section of the letter, VBA also noted that the policy supported VBA’s strategic plan and the modernization elements of the VA’s transformational plan, such as “affording Veterans and their surviving spouse-claimants online access to their claim records.” VBA concluded, “providing Veterans and their surviving spouse-claimants prompt access to their complete claim records is critical to increase transparency and improve customer service” consistent with these plans.
Question 2: Who was involved in the creation and implementation of the new policy?
VBA Response:
- Sloan Gibson, former VA Deputy Secretary
- Danny G.I. Pummill, former Acting Under Secretary for Benefits
- David McLenachen, Director, Appeals Management Office, VBA (former Deputy Under Secretary for Disability Assistance)
- Robert Waltemeyer, Chief Learning Officer (former Director, Office of Management, VBA)
Question 3: Was the VA Office of General Counsel consulted prior to the distribution of VBA Letter 20-16-01? If so, what guidance did they provide?
VBA Response: Yes. VBA did not take this change of policy lightly and collaborated extensively with OGC leadership, to include:
- Leigh Bradley, former General Counsel
- Tammy Kennedy, Chief Counsel, OGC (former Principal Deputy General Counsel)
- Richard Hipolit, Acting General Counsel
OGC advised that there are two lines of legal authority applicable to the issue of redacting Veterans’ claim records prior to releasing them under the Privacy Act, and that OGC could defend a policy choice based upon either of these approaches subject to an exception for law enforcement investigative reports that may be contained in a Veteran’s claims record. One approach, represented by the Court’s opinion in Voelker v. IRS, 646 F.2d 332, 333-35 (8th Cir. 1981), recognizes a claimant’s absolute right of access to a record maintained by the Government if an agency used the information in the record to decide a claim. As stated in VBA Letter 20-16-01, VBA’s policy is based upon the Court’s holding in Voelker. On August 27, 2015, OGC completed its review of VBA’s draft letter, and subject to certain tracked changes and comments, which VBA addressed in the final version of the letter, OGC had no legal objection to VBA’s policy. See the attached email from Leigh Bradley to David McLenachen and the accompanying word document with OGC’s tracked changes and comments.
In February 2016, VBA and OGC briefed the VA Deputy Secretary on VBA’s proposed policy. See the attached PowerPoint presentation. The Deputy Secretary approved the policy after the briefing.
OIG correctly notes that there are lower court cases that VBA could have used to support a different policy, specifically continuing the policy of conducting a page-by-page review of claim records for purposes of redacting third-party information. However, VBA did not choose that policy as it was inconsistent with VA’s Veteran-centric goals of improving transparency and customer service.
Final Thoughts
Now, I generally agree that a veteran should have unfettered access to their records, but the sharing of a Social Security number of someone else should not happen.
The next steps we need to be watchful over is how far VA will now push this policy to not only slow down Privacy Act requests but also to obfuscate parts of records necessary for a veteran to fight for their claim.
Will VA redact the names of VA examiners?
How about the names of possible witnesses in reports who could help a veteran document an injury?
Is litigation a fix? Maybe, but the vast majority of victims have not been informed that their information was illegally shared.
My husband been at mayor Pete’s office protesting that the government has unlimited funds for impeachment wasting millions that could housed the homeless. 100 veterans committed suicide in 5 days. Broken social security disability that’s causing people to loose there homes, live in the woods and commit suicide due to deliberate denials. The courts just came down on social security for illegally firing a disabled veteran. Moral of the story they don’t want you on disability and they don’t want you working for them. The government more worried about Ukraine than the citizens in there failing districts!
Sorry off topic but has anyone gotten their claim approved for exposure to hazardous chemicals while stationed at Fort McClellan AL. Mine was denied saying I couldn’t prove exposure. Drinking the water. Rolling around and sleeping in the mud doesn’t count.
Fort McClellan Health Registry Act has been stalled or blocked for years. Any help will be greatly appreciated.
Check this out;
*”https://www.military.com/daily-news/2019/11/20/civil-service-preference-hiring-military-vets-comes-hidden-cost.html”*
I used to work for the Department of Veteran Affairs. A co-worker printed out and passed around my medical records (I am a Veteran) before I was on board as an official employee. NO ONE TOLD ME that my information had been shared until years later when I had to file an EEOC complaint on my supervisor based on discrimination that occurred because he too had accessed my medical records. I do not trust the VA with my data and it has prevented me from accessing the care I know I need. How can I opt-out of the new policy without signing something that works against my wishes in the long run?
Big news Social security illegally fired a disabled veteran. They are deliberately denying people so they loose their homes. They are turning the disabled into drug dealers and prostitutes no one can wait 2-3 years. Lawyers have clients living in the woods and committing suicide. Moral of the story they don’t want you on disability and they don’t want you working for them!
Here’s an article you might want to pass along,
*”https://www.military.com/daily-news/2019/11/20/civil-service-preference-hiring-military-vets-comes-hidden-cost.html”*
I concur that this is egregious and fouled up. I think it is systemic in nature. For example with the new appeals process VA can and will legally close you case without a decision open a new case with the same issue and essentially start the clock over. The VA is allowed to write its own policy and change it to fit their needs. transparency my left nut. I had to find out they closed my appeal and started a new one through my VSO. Only after I received a letter from the VSO to the fact of what I can do if I’m not happy about my decision. WTF. The documents I sent support8ng my claim weren’t even reviewed before closing my claim. I could go on and on. The point I was trying to make is VA is allowed to write its own rule book then asked to police themselves.
And this is better for veterans how?
Aye, Monkey,
Closing your claim or Appeal is not new to the VA. They have done this to me since 1970. I caught them doing it. Did that make a difference? They now say they saw my Psych admission files from 1978 but can’t find my earlier file pscyh/malnutrition & Dental file from 1970 at the VAMC Palo Alto. And even if they did they are not admitting to it.Instead the VA says there is great credibility in my claim that was file 2 days after discharge from duty at LZ Cindy had great credibility but cannot find the files at Palo Alto. After decades of Pribate treatment, the third party medical records submitted to the VA have vanished from my appeals. Ms Loellea Mcdaniels of the Albuquerque VA said ” We don;t have to accept anything 3rd party we don;t want, and we don’t” You can go to a VARO and submit certified copies of stuff at the window and they will give you copies back that are stamped- it doesn’t mean they look at it, you never get a response back and when you do get notified , your appeal has been denied , closed or remanded to the future state of ” you ain’t gettin’ nowhere with this here appeal because that money goes to us, MFr”. ” Maybe you didn’t get our letter of …. Did you get that letter?….” Now get the fuck outta here”
I don’t mean to be crude , but that’s how its been since 1970 and now it’s going to be even harder to get anything through the rows of junior lawyers trying to get a cushy government job by scalping your claim. The VA Mafia will hire thousands of lawyers before they treat us fairly.
Veterans please don’t criticize Arnold Cabral he introduce the Mission Act to the President Donald Trump .
Here’s number 3! Y’all are going to love it that the AFGE finally gets screwed!
*”https://www.military.com/daily-news/2019/11/15/va-cuts-support-employee-unions-following-executive-order.html”*
Here’s number 2:
*”https://www.military.com/daily-news/2019/11/12/expert-says-marine-veteran-sought-help-va-days-killing-2-cops.html”*
Here’s number 1;
*”https://www.military.com/daily-news/2019/11/17/hospitals-seeing-rise-veterans-seeking-care.html”*
Then the VA wonders why veterans despise them so much!
I’m going to be putting two (2) articles on which shows more egregious activities by VA. The third article your going to love! It’s about the AFGE!
Third party recipients are medical facilities and attorneys who require the SSN to be submitted for service. All of the medical facilities that I get service from, both VA and private, use the SSN for file maintenance in the digital age. That began because the SSN took up less bites than the name and has continued for the same reason.
Your SSN is out there on so many applications as well as your birthday. Most scammers seeking your ID information for identity theft ask for those two items first even though they have all ready gotten them. Then your address which may not be current as well as other ID information.
The present call to seniors states your credit card is suspected of miss use. They then ask if you made a purchase which they already know you didn’t. After that they ask to verify your credit card number and all of your ID information. Seniors are falling for this trick and giving all of the information necessary to make online purchases or cash transfers.
Ben, this is a pile of shit. Even the present military has gotten away from using SSNs on military IDs. Plus, the Social Security administration uses identifier numbers for each patient. Ben, I have the records that count. I have my Navy medical records on paper plus my service record. I even have CDs of my VA health medical records. VA can’t do much changing in my situation. I have records up to 2015. Of course, I left the VA in 2015. VA is pathetic.
Social security administration transformed their system away from SSNs on the Medicare Cards.
Ben, you are correct. In reality, the SSNs should not have been included. Medical facilities as in the ones who use Medicare do not use SSNs anymore because of how the Social Security administration reformed their system. Now, Tricare still uses SSNs because the SSNs are on old military IDs.
But also how much of the truth is even on the VA CDs because I have never fully reviewed the ones from the current VA. I have looked only at bits and pieces of when there was a problem. I know the Navy records are not detailed the way they should have been. I have what I have. Remember, tyranny and abuse of power rules.
Ben, I would say a lot of what is going on in the VA and many issues in this country are issues of which I am not even about as a person. It is almost like the VA exists in a separate world of the unknown in my opinion. I was speaking with some friends of mine today who know me real well and just cannot believe the state of the country. The VA is not about decency at all. Well, Ben, we are about decent out here. As for the VA and the records, there are millions of veterans who are not even in the VA. They are living their own lives. Best. I really do not care what the VA does because it seems like all the federal government wants to do is cause havoc.
Disabled Veterans who is 100 percent service connected need a raise in paid because have Medical Doctors will accept the payment of Disabled Veterans who is 100 percent connected .
What in English Please???
MK if you don’t know I type
MK sorry you didn’t understand what I type?
MK sorry you don’t what I type.
Arnold, I understand you. Thanks for info and I agree with you.
The VA has always acted haphazardly in regards to medical data privacy. Actually this is nothing new. In the past, paper printouts had been given to veterans and I would witness the print outs laying on the sidewalks, parking lots, and in trashcans. Of course this would fall on the responsibility of the veterans. However, VA would print out too many. And yes, the printouts included name, SSNs, name of clinics, appointment information, and diagnoses. Yes, Ben-
Plus, Ben, as for the SSNs, if you look at the VA system pages when it comes to veterans medical records, the SSNs are on every page of the record. Or they used to be. This was the architecture of the VA medical record system with how the software had been designed that included certain specifications and key entities that the VA worked off of. You want to hear something that is even more wierd? How would a nonprofit private sector hospital be able to pull and have medical information dating back years when another VA could not? Ben, this happened in 2012 and winter of 2016. And, had never been to this nonprofit private sector hospital before. Ben, this information included everything like old vaccines etc. Though, when private sector physicians access medical information to treat, they do not access everything. Ben, it depends on the medical facility. One facility could retrieve everything and I had no idea how they were able to do this. The information was basically timelines of when procedures had been completed for them to review to work from. No written case or progress notes were included in the information. The information that the nonprofit private sector hospital was accessing was only summaries. Here the other facility could not immediately access anything and this even happened more recently than the other happenings that I have commented on here. Above all, the question still remains as to how the private non-profit hospital could access medical record data information before another VA could? This occurred in winter 2016 when another VA could not access information from previous VA of which both VAs are in 2 different VISNs. All of this incites vulnerabilities and sets up veterans to become even more direct targets instead of indirect targets. I see the whole healthcare industry as pathetic. My comment is alluding to much more beyond this VA privacy situation. Best.