VA largely silent on measures to protect veterans' data. Here's who can access your records.

Abbie Bennett
October 18, 2019 - 2:52 pm
VeteranRecords

Photo by Senior Airman Kasey Zickmund

In the wake of massive data breaches across the U.S., and a Department of Veterans Affairs announcement of new plans to share veteran healthcare records digitally with its private provider network, the VA has been largely silent on measures it’s taking to protect veterans’ sensitive information.

VA’s announcement and longtime goal of creating digital health records that automatically follow veterans from doctor to doctor -- whether a VA doctor, contractor or private “community care” VA network provider -- has some veterans concerned about who might have access to their most private data, particularly in light of past VA and Defense Department data breaches. Previously, veterans had to provide written permission to VA before the department could share their records. 

Both VA and the Defense Department have been sued in the last month over veteran data security.

VA says it treats as many as nine million veterans each year in what has become the largest healthcare system in the United States. The department handles millions of sensitive health records, and with the launch of the MISSION Act on June 6, it expanded its community care network of private providers and telehealth opportunities -- which could mean more data sharing than ever. 

Some veterans, including those who brought a lawsuit in September over the plans for automatic records sharing, say requiring veterans to opt-out of having their sensitive data shared, and automatically sharing them in any way, could violate their Constitutional rights to privacy and put them at risk. The lawsuit coincided with VA delaying the start of the new policy until Jan. 1, 2020.

And it's not only VA security that veterans are concerned about. 

Another lawsuit earlier this month brought by Vietnam Veterans of America against the Defense Department challenged DoD’s “leaking of personal information belonging to active duty and veterans.” 

The lawsuit, which reached a settlement agreement Oct. 3, alleged that DoD was “leaking” the data of service members and veterans “to identity thieves and companies who sell data for unauthorized commercial purposes.” 

“The government has a duty to veterans and service members to safeguard their privacy and to ensure that it is not leaving sensitive information unsecured,” said Jonathan Manes, an attorney who represented VVA in the suit. 

 

Who has access?

A VA spokesperson told Connecting Vets that VA’s health information sharing is similar to non-VA healthcare policies -- “only those with a need for the veterans’ health records and legally authorized to have the records are provided them.” 

Those people include but are not necessarily limited to:

  • The veteran;
  • The veteran’s VA and community care healthcare providers;
  • VA employees with a “need to know” for treatment, payment and healthcare operation purposes, such as nurses, doctors, claims staff and others.

Part of the massive healthcare records sharing includes the eHealth Exchange, an initiative of an entity known as the “Sequoia Project,” a third-party group of companies and organizations advocating for and working on large health information exchange networks.

Some veterans are concerned that means third parties could potentially access their records, or that lack of security could risk data breaches or mining. 

When asked if any third-parties involved in facilitating the health records exchange could access any veteran data or health records, VA responded simply: “No.” 

VA has a system to track access to a veteran’s health record if that record is flagged as sensitive, officials said. But there is not a system for logging access if the record is not labeled “sensitive.” 

VA policy requires users of its information system who access personal information as part of their official duties to avoid unauthorized sharing of that data and prohibits other users from accessing that information without permission, but if the record is not labeled "sensitive," VA's system does not track their access. 

The VA's Privacy Notice specifically mentions that VA may use or disclose veterans' health information without permission to law enforcement, credit reporting agencies; other federal departments such as Defense, National Security, the FDA or Centers for Disease Control; judicial officials; correctional facilities; Congress; VA academic partners; state drug monitoring programs.

Unless veterans opt-out of the VA's medical center patient directory when you are admitted to a VA hospital or clinic, VA can also release: your general condition, religious affiliation and the location where you're receiving care to people who ask about you by name. 

 

VA data breaches

In the past 10 years, VA has had five major data breaches in which more than 5,000 veterans’ data has been compromised, according to documents obtained by Connecting Vets through Freedom of Information Act Requests. The breaches have largely worsened over time, though they remain a smaller percentage of the millions of records VA possesses. The largest happened last year, affecting nearly 20,000 veterans. 

  • 19,254 veterans in October 2018
  • 7,029 in November 2014
  • 7,405 in February 2013
  • 5,126 in June 2011
  • 5,933 in April 2011

The first breach in 2011 and the 2018 breach both directly involved protected health information (PHI). The second breach in 2011 involved financial information and VA was required to offer credit monitoring to thousands of veterans.

VA did not provide information on specifically how veterans were affected by the data breaches or what steps the department took to address the issue, saying only that “the system does not collect that information" and declining to comment further.

A VA Inspector General report released Oct. 17 found that “veterans’ sensitive personal information was left unprotected” on two shared network drives accessible to veteran service organizations not connected to those veterans. 

Investigators “determined that mishandling this sensitive personal information was a national issue” in part because VA staff “failed to discover and remove any sensitive personal information stored on shared network drives.”

“Without better protection, veterans and VA are at risk,” the report said. “Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information. This has the potential to expose veterans to fraud and identity theft.”
VA could also be liable and “could also lose credibility with veterans who trust that their sensitive personal information is being appropriately secured.” 

 

Security

When asked what assurances VA can provide veterans that their data is secure, is not being shared, mined or otherwise accessed by anyone other than their healthcare providers or VA staff determining their claims, VA was brief: 

“VA health records are only accessed by or shared with individuals who have a need for the veterans’ health records and are legally authorized to have the records,” a spokesman said in a statement, without responding to requests for specifics measures in place to secure that information. “VA complies with all federal security requirements and continually monitors compliance with those regulations.”

VA's Notice of Privacy specifically says, "We will not sell your health information." 

Despite multiple requests, VA declined to make Secretary Robert Wilkie available for interviews or to provide a statement of any kind from the head of the VA about how the department is working to protect veterans’ private information. 

 

Get help

The Veterans Health Administration “Notice of Privacy Practices” outlines all uses and disclosures of veterans’ health records by VA. To read that notice, click here and then select “VA Privacy Practices” under the “Resources” section. That notice includes many situations in which VA says it is authorized to release veterans’ private health information to a variety of parties without the veteran’s permission. 

Veterans who are concerned their privacy rights have been violated can file complaints with:

Want to get more connected to the stories and resources Connecting Vets has to offer? Click here to sign up for our weekly newsletter.

Reach Abbie Bennett: abbie@connectingvets.com or @AbbieRBennett.