A VA OIG report found a Wisconsin veterans service organization stored personal and health information on two shared network drives, putting individuals at risk of fraud or identity theft.
The sensitive personal information of veterans was left exposed on two shared network drives of the Department of Veterans Affairs, which put those patients at risk of fraud or identity theft, according to a VA Office of Inspector General audit report released October 17.
VA OIG launched an investigation into the Veterans Benefits Administration after receiving a hotline allegation by a Wisconsin veterans service organization (VSO) officer in September 2018. The officer alleged the VA Regional Office (VARO) was storing personal information on the VA enterprise network, which was likely accessible by other users.
What’s more, the complaint alleged both personally identifiable information and protected health information was left unprotected on shared network drives, meaning any unauthorized user could have potentially accessed that data “even without a business need.”
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
OIG sought to evaluate whether the sensitive data of veterans was effectively protected on the VA network, as required by HIPAA and VA’s Privacy Program that requires appropriate administrative, physical, and technical safeguards to protect personal data.
In December, OIG interviewed the complainant, reviewed shared drives for personal information and met with IT officers at the Milwaukee, Wisconsin VARO to discuss observations, as well as review privacy and security requirements and controls.
The watchdog found the complaint was substantiated: “Veterans’ sensitive personal information was mishandled and left unprotected on shared network drives, where it was accessible to VA network users.”
Veterans PII and PHI were stored on two shared network drives that were also accessible to VSO officers who did not represent those veterans, according to the report.
“During the visit, the complainant demonstrated how to access the VA network and data remotely using an authorized remote access program,” the report authors wrote. “After completing the login process, the complainant was automatically connected to VA shared network drives, and the OIG team noted that folders on two of the shared drives contained unprotected sensitive personal information.”
“The files the OIG team observed contained medical records, correspondence about medical examinations and disability claims decisions, and veterans’ statements in support of their claims,” they added. “The files contained a variety of sensitive veteran information including names, addresses, dates of birth, and phone numbers.”
The data was data as far back as 2016 and were available to any network users with permission to access the drives, whether or not they had a business need to do so.
OIG also observed VSO officers connecting to the VA network both locally and remotely, but those who connected locally did not have access to either of the shared network drives with the sensitive data mentioned in the complaint. However, those VSO officers who connected remotely could access those drives.
“The reason for this difference is that VBA assigns network drives distinctly for local and remote users,” the report authors explained. “IT operations personnel explained to the OIG team that the shared network drives were VBA resources and these drives were automatically connected to a remote user when the user logged onto VA’s network.”
“An IT operations’ official further explained that users could access the shared network drives without using the remote access program if they knew how to manually access the drives,” they added. “The OIG team confirmed manual accessibility to the shared network drives while connected to the local network and identified files with veterans’ sensitive information.”
The mishandling of data occurred due to deliberate or inadvertent user negligence, by storing the personal data on shared network drives, OIG found. VA also lacked technical safeguards to prevent inappropriate storage, along with inadequate oversight to ensure compliance with VA rules of behavior.
“Without better protection of sensitive personal information, veterans and VA are at risk,” the report authors wrote. Unauthorized access to sensitive personal information can lead to improper disclosures of veterans’ and other parties’ information and can cause undue hardship for those involved.”
“If a breach occurs, VA is responsible for notifying the involved individuals and offering credit protection services,” they continued. “The [agency] ultimately determined that the presence of PHI or PII on the shared network drives did not meet the criteria for a data breach and therefore did not require notifications. However, without improvements, VA continues to be at risk of future disclosure or misuse.”
The complainant made an initial complaint internally, which was subsequently closed after the IT decommissioned the servers in question. A new complaint about the two shared drives was closed on March 11, 2019 after “declaring that all PII and PHI located on the shared drives had been removed and only one shared folder remained open for users as it was necessary to maintain working conditions.”
“The OIG team determined that mishandling veterans’ sensitive personal information was a national issue because security concerns were not limited to the Milwaukee VARO,” the report authors wrote. “Specifically, senior OIT representatives said any VBA user with permission to access VA’s network remotely would have had access to the shared drives hosting veterans’ sensitive personal information.”
“IT operations personnel stated that approximately 25,000 remote access users could have accessed the shared network drives,” they added.
OIG concluded that VA lack adequate oversight to detect if users violated the rules of behavior, which occurred because the VA did not have procedures in place for reviewing shared network drives for storing sensitive data.
What’s more, VBA does not have a policy requiring facility privacy officers and others to conduct privacy self-assessments or reviews that could have identified the information observed by OIG. While VHA noted that they periodically conduct privacy and records management reviews, OIG found “VA had not implemented self-assessments for its privacy and records management programs outside of VHA.”
The VA chief information officer approved a memorandum that would establish this process on a yearly basis on April 5, 2019.
OIG made three recommendations to shore up these privacy concerns. First, users must be provided training on the safe handing and storage of sensitive personal information on network drives by the assistant for information technology and the undersecretary for benefits.
Next, the assistant secretary for information and technology should establish technical controls to that will ensure users can’t store sensitive personal information on shared network drives. Lastly, the assistant secretary for information and technology should implement improved oversight procedures, such as specific facility-level procedures, which would ensure sensitive data is not stored on shared network drives.
The assistant secretary for information and technology concurred with all three recommendations, but the undersecretary for benefits concurred with just the first recommendation. Those officials said they worked with the VBA and the Office of Information Technology (OIT) to development a quick reference guide for the use of shared network drives.
VBA and OIT will also provide further guidance and training at the local level as needed, according to the report. The OIT IT Operations and Services, Infrastructure Operations applied a permission change to those public drives, rendering them read-only for VBA Citrix Access Gateway users.
According to the report, OIT also provided documentation that the action was applied to all shared drives. In addition, VA plans to explore the option for a central solution to help the agency detect whether users have violated policy by storing personal data on shared drives, to support current oversight procedures. The first and third recommendations are considered opened by OIG.
“Until VA officials take steps to guard against user negligence, implement technical controls that prevent users from storing sensitive personal information on shared network drives, and issue oversight procedures to adequately monitor shared network drives, veterans’ sensitive personal information remains at risk,” the report authors wrote.
In a comment to HealthITSecurity.com, a VA spokesperson said, “VA has since taken a number of actions to strengthen safeguards regarding Veterans’ personal information, including removing all such information from shared drives and restricting permissions that prevent the storage of sensitive personal information.”