VA put millions of people, including doctors, at risk of identity theft, agency audit finds

Department of Veterans Affairs privacy officials expressed serious concerns that the department's policy on releasing records did not protect third-party personally identifiable information. (turk_stock_photographer/Getty Images)

The Department of Veterans Affairs (VA) put millions of people, including medical professionals, at risk of identity theft by disclosing their Social Security numbers in copies of veterans' benefits claims, an agency audit found.

When responding to veterans' requests for copies of their medical benefits claims, the VA failed to redact personally identifiable information of other service members and doctors treating the veteran, according to a report from the VA Office of Inspector General (OIG). That information included names and Social Security numbers.

The failure to delete other people's personal information on those records goes back to a policy put in place in May 2016, the OIG report said.

"The May 2016 policy change did not require third parties to be notified when their information was released, meaning individuals at risk of identity theft might not be aware of that risk," the VA OIG report said.

The Inspector General reviewed a random sample of 30 out of about 65,600 Privacy Act requests that the Veterans Benefits Administration’s (VBA's) Records Management Center, a sub-agency of the VA, completed from April 1, 2018, through September 30, 2018.

That review found 1,027 unrelated third-party names and Social Security numbers in records the VBA purposely included in requesters’ claims files.

RELATED: Dental practice pays $10K to settle complaint it disclosed patient information on Yelp

In one example, VA staff sent a disk to a veteran who requested his records, and the disk contained the names and Social Security numbers of 197 other individuals, including medical professionals, in the veteran’s medical records.

Before May 2016, VBA's policy required staff to limit disclosure to information that pertained only to the requester, and staff were required to redact third-party information. To do this, staff conducted a page-by-page review of requested records and used software to block out the third-party information, according to the audit.

Three years ago, the VBA changed its policy to stop redacting that information because the process was slowing down the department's ability to respond to records requests. In less than two years, the VBA's backlog of records requests grew from 10,000 to 70,000 with the average response time almost doubling to 150 days. That also resulted in a growing number of appeals and litigation.

The requirement to redact third-party information was a major factor in the delays, the department told the Office of General Counsel. The department also wanted to improve veterans' electronic access to their records, and the release policy needed to change because it was not feasible to review and redact millions of records, the report said.

VA’s legal counsel decided there was legal support for the policy change although noted there were some "inherent risks" and even said potential harm from misuse of such information "could be substantial," the report said.

RELATED: More than 70% of hospital data breaches compromise information that puts patients at risk of identity theft

VA and VBA officials with roles specifically related to privacy also expressed serious concerns that the policy change was "inappropriate" and does not protect third-party personally identifiable information, but department leadership went ahead with the policy change.

Since the policy change in May 2016, the VA responded to about 379,000 records requests. Based on the volume of third-party personally identifiable information found in the sample of responses the OIG reviewed, the VA could have already released millions of third parties’ names and Social Security numbers, according to the audit.

The VA also did not encrypt or password protect the disks that were mailed to the requesters, creating a risk of identity theft if those disks were lost, sent to the wrong recipient or stolen, the report said.

The department did not consider the disclosures to be data breaches, because they were allowed under the VA's records release policy.

The VA has since revised its policy, in effect Oct. 1, to again require that personal information on third parties be redacted.

“VA is committed to providing Veterans prompt access to their claim records increasing transparency and improving customer service,” VA Secretary Robert Wilkie said in a statement about the recent policy change. “It’s imperative that we protect files containing sensitive and personal information.

Under this new process, VA does not anticipate delays in forwarding copies of claims files to veterans or their designated representatives, the department said.