Breadcrumb

Review of Alleged Breach of Privacy and Confidentiality of Personally Identifiable Information at the Milwaukee VARO

Report Information

Issue Date
Report Number
16-00623-306
VISN
State
Wisconsin
District
VA Office
Information and Technology (OIT)
Report Author
Office of Audits and Evaluations
Report Type
Audit
Recommendations
4
Questioned Costs
$0
Better Use of Funds
$0
Congressionally Mandated
No

Summary

Summary
In October 2015, the Office of Inspector General received a request from U.S. Senators Richard Blumenthal and Tammy Baldwin to review an incident concerning the improper dissemination of veterans’ personally identifiable information (PII) by a Wisconsin Department of Veterans Affairs (WDVA) employee to an unauthorized recipient over VA’s email server. We substantiated the allegation that on April 1, 2015, a WDVA employee improperly disseminated over VA’s email server a monthly claims report. The report contained updates of Wisconsin veterans’ disability claims, to unaccredited County and Tribal Veterans Service Organization employees not authorized to handle sensitive information, as well as to a Wisconsin veteran. The Milwaukee VA Regional Office (VARO) sharing of claims information with WDVA was consistent with Federal policy. This incident occurred because VA did not have adequate processes and information security controls in place to safeguard against unauthorized disclosure of PII. The VA Office of Information and Technology (OI&T) did not adequately configure VA’s information security filtering software to block the dissemination of unencrypted sensitive data before releasing information to WDVA. In addition, the VARO did not have a formal agreement with WDVA for sharing PII. As a result, VA put Wisconsin veterans’ PII at unnecessary risk of interception and misuse. Further, VA’s 2015 Federal Information Security Modernization Act audit reported security deficiencies similar in type to those identified in this report as material weaknesses over the last few years. We recommended the Assistant Secretary for Information and Technology improve VA’s email security filtering software controls, establish formal agreements with third-party organizations, evaluate whether permanent encryption controls are needed for non-VA employees with VA accounts, and conduct reviews of processes and controls at VAROs collaborating with third party organizations, to ensure security of sensitive veterans’ information. The Assistant Secretary for Information and Technology nonconcurred with our recommendations and stated that VA’s position was unchanged since its response in February 2016 to the Senate Committee on Homeland Security and Governmental Affairs. The Assistant Secretary believed that all policies, procedures, and required training were already in place. However, we continue to maintain our position that VA did not have adequate processes and information security controls in place to safeguard against unauthorized disclosure of PII.

Open Recommendation Image, SquareOpenClosed and Implemented Recommendation Image, CheckmarkClosed-ImplementedNot Implemented Recommendation Image, X character'Closed-Not Implemented
No. 1
Closed and Implemented Recommendation Image, Checkmark
to Information and Technology (OIT)
We recommended the VA Assistant Secretary for Information and Technology improve VA’s email security filtering software configuration controls to effectively flag improper transmissions of veterans’ personally identifiable information over the VA network.
No. 2
Not Implemented Recommendation Image, X character'
to Information and Technology (OIT)
We recommended the VA Assistant Secretary for Information and Technology establish Memoranda of Understandings with third party organizations that define network responsibilities, processes and procedures for handling sensitive veterans’ information, and require information security controls are implemented commensurate with VA’s information security standards.
No. 3
Not Implemented Recommendation Image, X character'
to Information and Technology (OIT)
We recommended the VA Assistant Secretary for Information and Technology evaluate whether permanent encryption controls are needed for non-VA employees who maintain VA accounts for conducting business on behalf of veterans.
No. 4
Not Implemented Recommendation Image, X character'
to Information and Technology (OIT)
We recommended the VA Assistant Secretary for Information and Technology conduct reviews of processes, procedures, and controls in place at VA regional offices that collaborate with third party organizations to ensure security of sensitive veterans’ information.