Report Summary

Title: Review of Alleged Unsecured Patient Database at the VA Long Beach Healthcare System
Report Number: 15-04745-48 Download
Issue Date: 3/28/2018
City/State: Long Beach, CA
VA Office: Veterans Health Administration (VHA)
Office of Information and Technology (OIT)
Report Author: Office of Audits and Evaluations
Report Type: Audit
Release Type: Unrestricted

In July 2015, the VA Office of Inspector General (OIG) received allegations stating that an unauthorized Microsoft Access database was operating at the VA Long Beach Healthcare System (LBHCS). The allegations stated that the unauthorized database hosted Sensitive Personal Information (SPI) and all of the Veterans Health Administration’s 24 Spinal Cord Injury (SCI) Centers had access to the database through a SharePoint intranet portal. The anonymous complainants also stated that unsecured veteran SPI was stored on a server outside of VA’s protected network environment. The OIG substantiated the allegation that an unauthorized Microsoft Access database was created by LBHCS SCI employees to capture patient demographics and to provide a repository for all SCI Centers to track patient data. Consistent with the allegation, the OIG team found multiple instances of databases that hosted SPI in violation of VA policy. It also substantiated that veteran SPI was hosted on an external server at the University of Southern California without a formal Data Use Agreement authorizing the activity. In addition, the OIG team noted this server could be accessed from the internet using default logon credentials. The OIG recommended the Under Secretary for Health ensure that the Spinal Cord Injury and Disorders program staff comply with VA’s Privacy Program and information security requirements for all veteran sensitive data collected. In addition, the OIG recommended the Executive Director for the National Spinal Cord Injury Program Office discontinue storing SPI in unauthorized Microsoft Access databases. The OIG also recommended the Acting Assistant Secretary for Information Technology ensure that Field Security Services and VA’s Privacy Service implement improved procedures to identify unauthorized uses of SPI and take appropriate corrective actions. The Executive in Charge, Office of the Under Secretary for Health, and the Executive in Charge for the Office of Information and Technology concurred with the recommendations.