Review of Alleged Contractor Information Security Violations in the Alaska VA Healthcare System

In December 2014, the VA Office of Inspector General (OIG) Hotline received an allegation that ProCare Home Medical, Inc. (ProCare) was improperly storing and sharing VA sensitive data on contractor personal devices in violation of Federal information security standards. More specifically, the complainant alleged that ProCare was allowing its employees to use personal computers and phones to access the company computer system and download VA sensitive data, including veterans’ personal health information. We substantiated the allegation that ProCare employees, according to its staff, accessed electronic sensitive veteran data with their personal computers from home through an unauthorized cloud-based system without encryption controls. We also noted that ProCare employees or malicious users could potentially use personal devices on an unauthorized wireless network to access sensitive veteran information. In addition, we determined that ProCare was storing sensitive hard copy and electronic veteran information in an unsecured manner at their facility. We further noted that ProCare could not provide evidence that applicable ProCare personnel had completed VA required security awareness training or signed the Contractor Rules of Behavior, prior to receiving access to VA sensitive data. These security deficiencies occurred because VA did not provide effective oversight of ProCare personnel to ensure the appropriate protection of veteran information at the contractor facility. As a result, veteran sensitive information was vulnerable to loss, theft, and misuse, including identity theft or fraud. We found no evidence that veteran sensitive information was compromised. We recommended the VA Northwest Health Network management assign a local Contracting Officer’s Representative and Information Security Officer to provide oversight of Alaska VA Healthcare System contractors. We also recommended the VA Northwest Health Network management, in conjunction with the Assistant Secretary for Information and Technology, conduct a site assessment of ProCare information security controls to ensure compliance with VA information security requirements. The Assistant Secretary for Information and Technology and the VA Northwest Health Network Acting Director concurred with our findings and recommendations and provided an appropriate corrective action plan. We will follow up on the implementation of the corrective actions.