A new Office of Inspector General (OIG) report for the Department of Veterans Affairs (VA) found that veterans’ sensitive personal information was accessible on a shared network by veterans service organization (VSO) officers who didn’t represent the veterans.
On two shared network drives, OIG found that the personal information was left unprotected and that the information was accessible by VSO officers “regardless of their business need.”
OIG identified three reasons for the mishandling of the information:
- Users were knowingly or inadvertently negligent while using the shared networks despite VA security policy prohibiting such activity;
- Technical controls were not in place to prevent negligent users from storing veteran’s personal information on the shared networks; and
- A lack of oversight by Office of Information Technology and Veterans Benefits Administration personnel led to the failure of discovering and removing the sensitive information on the shared networks.
“Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information,” the report said. “This has the potential to expose veterans to fraud and identity theft.”
To address this, OIG made recommendations including providing remedial training on safely handling and storing veteran’s sensitive personal information on the networks and to establish technical controls to ensure veterans sensitive information can’t be stored on shared network drives. OIG also recommended implementing “oversight procedures, including facility-specific procedures, to ensure veterans’ sensitive personal information is not being stored on shared network drives.”
All three of the recommendations were concurred with by the assistant secretary for information and technology and the undersecretary for benefits and provided corrective action plans.