OIG Seal
Department of Veterans Affairs, Office of Inspector General
Michael J. Missal, Inspector General

Report Summary

Title: Review of Alleged Transmission of Sensitive VA Data Over Internet Connections
Report Number: 12-02802-111 Download
Issue Date: 3/6/2013
VA Office: Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Audits, Reviews & Evaluations
Release Type: Unrestricted

The OIG evaluated the merits of an allegation that VA was transmitting sensitive data, including PII and internal network routing information, over unencrypted telecommunications carrier networks. We substantiated the allegation. OIT personnel disclosed VA typically transferred unencrypted sensitive data, such as electronic health records and internal Internet protocol addresses, among certain VA medical centers and outpatient clinics using an unencrypted telecommunications carrier network. OIT management acknowledged this practice, accepting the security risk of potentially losing or misusing the sensitive information exchanged via a waiver. However, the use of a system security waiver was not appropriate. Without controls to encrypt the sensitive VA data transmitted, veterans’ information may be vulnerable to interception and misuse by malicious users as it traverses unencrypted telecommunications carrier networks. Further, malicious users could obtain VA router information to identify and disrupt mission-critical systems.