Mishandling of Veterans’ Sensitive Personal Information on VA Shared Network Drives

The VA Office of Inspector General (OIG) conducted this review in response to a hotline allegation related to the Milwaukee, Wisconsin, VA regional office. The complaint alleged that veterans’ sensitive personal information was stored on shared network drives on the VA enterprise network and was likely accessible to unauthorized users. Sensitive personal information is protected by law and VA policy. US laws require appropriate safeguards to protect personal information and limit the uses and disclosures of that information without authorization. VA policy requires information system users who access sensitive personal information as part of their official duties to avoid its unauthorized disclosure. Policy also prohibits other users from accessing personal information without a business need. The OIG team found that veterans’ sensitive personal information was left unprotected on two shared network drives, putting them at risk of fraud or identity theft. Office of Information and Technology senior representatives told the team that authenticated network users with access to the shared drives could have accessed that information regardless of their business need. This occurred through a combination of negligence and lack of oversight. Although VA’s Data Breach Response Service determined that storing sensitive personal information on the shared network drives did not meet the criteria for a data breach and did not require notifications, it is important that VA improves its controls and oversight to mitigate future risk. The OIG recommended VA officials provide remedial training to users on the safe handling and storage of veterans’ sensitive personal information on network drives. The OIG also recommended officials establish technical controls and oversight procedures (including facility-specific measures) to ensure users cannot store veterans’ sensitive personal information on shared network drives.