Records Management Center Disclosed Third-Party Personally Identifiable Information to Privacy Act Requesters

The VA Office of Inspector General (OIG) conducted this review to determine whether the Veterans Benefits Administration’s (VBA) Records Management Center disclosed third-party information (including social security numbers of other service members and medical professionals) when responding to Privacy Act requests. The act requires VBA to let beneficiaries review their claims files and have copies made. Many VBA records include third-party information, which had been redacted until a May 2016 policy change. VBA changed the policy that month because the redaction requirement was a major contributor to its massive requests backlog. Redaction also interfered with VBA’s plans to give veterans online access to their records. The May 2016 policy change did not require third parties to be notified when their information was released, meaning individuals at risk of identity theft might not be aware of that risk. VBA also did not communicate the policy change to veterans and service members. The OIG also found VBA put individuals at risk by not following procedures to encrypt sensitive information on discs mailed to veterans. The review of a random sample of 30 Privacy Act responses found 1,027 unrelated third party names and social security numbers. The OIG determined those disclosures raised legal concerns and estimated that responses under the May 2016 policy put millions of people at risk of identity theft. VA’s Office of General Counsel, however, had provided VBA with legal support for the policy change, despite the risk. The OIG asked the under secretary for benefits in a December 11, 2018, memo to immediately suspend VBA’s release policy and reevaluate the Privacy Act request program. After initially rejecting the request, the under secretary responded on June 19, 2019, saying VBA concluded that a policy update was necessary, and redactions would resume by October 1, 2019.