An internal investigation found the Department of Veterans Affairs' data security is so poor a data breach is "practically unavoidable" within 18 months, according to a draft of the VA's report.
"It's practically unavoidable that a data breach to financial, medical, and personal Veteran and employee protected information may occur within the next 12 to 18 months, with no way of tracking the source of the breach," according to a report obtained by Military.com and first reported by CNBC.
The VA's Office of Information & Technology Risk Management Team completed the assessment in July and found the department was "non-compliant with its own privacy and security policies and with federal laws and regulations," the draft report stated.
"The VA cannot ensure the safety and privacy of Veteran and employee healthcare, benefits, and financial information," a heavily redacted version of the report stated.
However, the VA claimed the report may not be completely accurate. VA officials said the assessment did not take into account all of the security factors the VA already has in place for its systems and network.
The VA emphasized the report was only an initial draft. VA leaders have since taken steps to validate the concerns in the report or put in place additional protections, an official said. The VA did not specify why the VA's Information & Technology Risk Management Team would not be aware of the full range of the VA's data security system.
"VA takes seriously its obligation to properly safeguard any personal information within our possession. VA has in place a strong, multi-layered defense to combat evolving cybersecurity threats," said Genevieve Billia, a VA spokeswoman.
The VA holds personal records for about 20 million veterans, employees and dependents.
In January, the VA sustained a "software defect" on its eBenefits website and released personal details for more than 5,000 people. Two years earlier, the VA mistakenly released data to the website Ancestry.com.
Despite the VA's claims that the problem is not as grave as the draft report suggested, members of the House Committee on Veterans' Affairs are concerned. Rep. Jackie Walorski, R-Ind., said these sorts of risks are why the committee asked the VA to offer credit monitoring services to veterans and dependents in the VA database.
"It's incumbent upon VA to clarify what specific portions of this report were inaccurate and what changes have been made since the report has been finalized," Walorski said. "Is a data breach to veterans' financial, medical and personal information 'practically unavoidable' as the report states? If not, how likely is it? VA owes it to America's veterans and American taxpayers to answer these questions in short order."
The VA's Information and Technology Risk Management Team found the VA's system did not comply with the Health Insurance Portability and Accountability Act's Security Rule, the Federal Information Security Management Act, and the Fiscal Integrity Act."The result will be a significant possibility that inappropriate record access may cause unintended exposure of Veteran employee protected information resulting in litigation, Congressional scrutiny, fines and settlements," the report stated.
VA leaders emphasized the department has put in place an "aggressive program to identify and address risks."
The VA has designed a system to properly forecast and assess risks to veterans' data, an official said. "VA is committed to protecting Veteran information, continuing its efforts to strengthen information security, and putting in place the technology and processes to ensure Veteran data at VA are secure," Billia said.
-- Michael Hoffman can be reached at firstname.lastname@example.org.