October 24, 2019

Sensitive Data Exposed to Thousands of Unauthorized Employees by VA

The VA OIG recently published a report detailing its findings that the VA left veterans’ sensitive personal information unprotected on two shared network drives. The sensitive personal information included medical records, correspondence about medical examinations, and disability claims decision information. The OIG found that VA network users had access to this information even if they did not have a legitimate business need to review the information. Although the VA’s Data Breach Response Service determined that the presence of the data on the shared network drives did not constitute a breach, the OIG found that without improvements to the VA’s data privacy and security policies and processes, the VA is at risk for future breaches or misuse of personal data. The VA has since removed the data from the shared drives and put technical restrictions in place to prevent such errors in the future.