VA continues to struggle with privacy

By Erin McCann
11:30 AM

The U.S. Department of Veterans Affairs was recently the center of an in-depth media investigation, revealing egregious stories of privacy and security breaches, and adding to an already stark account of the agency’s stewardship in keeping veterans’ health records safe.

From 2010 through May 2013, VA department employees or contractors were responsible for 14,215 privacy breaches affecting more than 101,000 veterans across 167 VA facilities, including incidences of identity theft, stealing veteran prescriptions, Facebook posts concerning veterans' body parts, and failing to encrypt data, an Oct. 12 Pittsburgh Tribune-Review investigation revealed.

Recent VA privacy and security violations prompted a June 2013 hearing on Capitol Hill regarding the topic of protecting veterans' private information. "VA places the highest priority in safeguarding Veterans’ and employees’ personal information," Stephen W. Warren, acting assistant secretary at the Office of Information and Technology at VA, told lawmakers at the hearing. 

However, some say the agency doesn't appear to have the privacy track record to support those comments. 

Back in 2006, VA reported that an unencrypted laptop, containing the personal data and Social Security numbers of some 26.5 million veterans and active duty members, was stolen -- an incident which Warren called a "wakeup call" for the agency. Following an investigation, the laptop was eventually recovered almost two months later, but the event resulted in a $20 million class action lawsuit against the VA. 

In January 2012, VA announced that the agency had posted personal information and Social Security numbers of some 2,200 veterans to, following the mistaken release of data through the Freedom of Information Act. 

Also in 2012, VA reported that a Miami, Fla. agency employee was arrested for selling the identities of 22 veterans from the medical center. The man, sentenced to 26 months in prison, also admitted to selling 3,000 veterans' identities over the past five years, according to the VA Office of Inspector General.

In the past few years, the agency has reported some 17 HIPAA privacy and security violations to the Department of Health and Human Services. 

At the June 4 hearing, Linda Halliday, assistant inspector general for audits and evaluations, Office of Inspector General at VA, told lawmakers that VA continues to be a target of "malicious intent" and has experienced severe security incidents. Database vulnerabilities, Halliday explained, have resulted in exposing the protected health information of millions of veterans and active service members.