The Department of Veterans Affairs' Office of Inspector General found in its latest report that veterans' sensitive personal information was stored unprotected on two servers, which OIG staff say might expose vets to fraud and identity theft.
In a report released Thursday, OIG staff investigated a veterans service organization officer's complaint that medical records linked to veterans' names, Social Security numbers or date and place of birth were accessible remotely by anyone authorized to access the drives in Milwaukee, Wisconsin -- a violation of VA security policy.
"The files the OIG team observed contained medical records, correspondence about medical examinations and disability claims decisions, and veterans' statements in support of their claims," staff said in the report. "These files dated back as far as 2016 and were available to any network users with permission to access the drives, regardless of their business need to do so."
The OIG labeled the problem a "national issue" because it found the problems stretched beyond the Milwaukee VA regional office.
"Any VBA [Veterans Benefits Administration] user with permission to access VA's network remotely would have had access to the shared drives hosting veterans' sensitive personal information," the report said. "IT operations personnel stated that approximately 25,000 remote access users could have accessed the shared network drives."
Those users include veterans service organization officers who are representatives for veterans making claims for VA benefits. They belong to organizations such as the American Legion, Disabled American Veterans, The Military Order of the Purple Heart, Paralyzed Veterans of America and Veterans of Foreign Wars.
The OIG determined the issue occurred for three reasons: Certain users were "knowingly or inadvertently negligent" when storing veterans' sensitive data on shared network drives despite VA security policy prohibiting it; there were no technical controls to keep such users from storing that information on those drives; and due to a lack of oversight, the Office of Information and Technology and VBA personnel did not discover nor remove any sensitive personal information from those drives.
"Veterans should have confidence that their sensitive personal information is handled strictly in accordance with federal laws and VA regulations," the OIG report said, adding that unsecured personal information could result in avoidable expenses for the VA.
The OIG recommended providing remedial training to users on safely handling and storing sensitive personal information on network drives and establishing technical controls and oversight procedures that keep users from storing such information on shared network drives.
The assistant secretary for information and technology agreed with the recommendations.
Meanwhile, the VA's Data Breach Response Service determined the issue did not qualify as a "data breach" so the VA does not have to notify the affected individuals that their information was compromised nor offer them credit protection services.
-- Dorothy Mills-Gregg can be reached at Dorothy.Mills-Gregg@Monster.com.