Review of Alleged Data Sharing Violations at VA's Palo Alto Health Care System

In October 2014, the House Committee on Veterans’ Affairs provided the VA Office of Inspector General (OIG) a complainant’s allegation that the VA Palo Alto Health Care System (PAHCS) Chief of Informatics entered into an illegal agreement with Kyron, a health technology company, to allow data sharing of sensitive VA patient information. This allegation involved veterans’ personally identifiable information (PII), protected health information (PHI), and other sensitive information being vulnerable to increased risks of compromised confidentiality. Allegedly, sensitive VA patient information was transmitted outside of VA’s firewall. The complainant also alleged Kyron personnel received access to VA patient information through VA systems and networks without appropriate background investigations. We did not substantiate the allegations that the Chief of Informatics formed an illegal agreement with Kyron or that sensitive patient information was transmitted outside of VA’s firewall. However, we substantiated the allegation that Kyron personnel received access to VA patient information without appropriate background investigations. We determined the Chief of Informatics, who was also the local program manager for the pilot program, failed to ensure Kyron personnel met the appropriate background investigation requirements before granting access to VA patient information. The Chief of Informatics also failed to ensure Kyron personnel completed VA’s security and privacy awareness training. Further, the Information Security Officers (ISOs) failed to execute their required responsibilities by not providing PAHCS management and staff guidance on information security matters. More specifically, the ISOs did not coordinate, advise, and participate in the development and maintenance of system security documentation and system risk analysis prior to Kyron placing its software on a VA server. As a result, Kyron did not have formal authorization to operate its software on a VA server. We concluded the lack of coordination between the Chief of Informatics and ISOs in executing the Kyron agreement potentially jeopardized the confidentiality of veteran’s PII, PHI, and other sensitive information. The Chief of Informatics admitted to proceeding with the pilot before obtaining documented support from the local ISOs. After the OIG informed PAHCS officials of the initial results in November 2014, they discontinued Kyron’s personnel access to VA de-identified patient information until Kyron’s personnel received VA completed background investigations, appropriate security, and privacy training.