'Disturbing': VA-recommended apps could access private veteran data, Congress says

Abbie Bennett
February 12, 2020 - 11:01 am
iPhone

Getty Images

VA-recommended smartphone apps could access veteran data, including phone cameras, microphones, photos, locations, contacts, calendars, files and more. 

Members of Congress called the potential access or collection of such data by the Department of Veterans Affairs or third parties "disturbing" during a House Veterans Affairs Committee hearing on data privacy at VA. Lawmakers also were not satisfied with answers from VA officials about how the agency is monitoring the apps with access to that data, or how it holds third parties accountable. 

"I look at a risk-benefit ratio," ranking member Rep. Phil Roe, R-Tenn., said. "Is this information shared, is it accessible, is it sold?"

VA largely silent on measures to protect veterans' data. Here's who can access your records.

Many of the apps are health-related, including for mental health concerns such as PTSD and anger management. VA has increasingly promoted apps to help veterans with a variety of issues and to connect them with VA services. Some apps are operated by third parties, some are owned by VA.

The VA-recommended "PTSD Coach" app, for example, can request access to a user's camera, contacts, microphone and files stored on a user's phone. Those permissions often are used to integrate features, such as emergency contacts, in the "Get Support" section of the app. 

The user agreements that come with apps are often hundreds, if not thousands of words long, and lawmakers said they worried that veterans' trust in VA's recommendation could put them at risk if they approve those agreements and give the apps permission to potentially access their data.  

"Can we expect anyone to realistically read these and understand their terms?" Rep. Susie Lee, D-Nev., said. "We cannot assume data is safe and secure." 

Once a veteran taps “agree” on a user privacy or permissions agreement in an app, federal HIPAA protections for private health data do not always apply, meaning third parties could use and share private data without regard for those restrictions.

VA officials said many other apps found on most smartphones request the same access. VA Deputy Assistant Secretary and Chief Information Security Officer Paul Cunningham told lawmakers that VA does not "police" the networks of third parties, but that if a breach were discovered "we would take swift action" to investigate. Otherwise, VA can only monitor what it outlines in its third-party contracts. 

"It seems to me that when VA provides an app or promotes an app, device or other technology, we expect VA to assess the value or benefit of that technology and determine if that benefit outweighs data security and the privacy," Lee said.

In VA's privacy policy for its mobile apps, VA says: 

"When you use a VA mobile app, no data that could be used to identify you is sent to VA or third parties. Any information that you enter into the app, such as names, phone numbers, addresses, images, or music, cannot be accessed, stored, or shared by VA."

Not all apps that request access to certain data or features of a phone necessarily collect, store or transmit that data -- and not all are capable of doing so. Some offer options to integrate data or features, such as photos, calendars and contacts, to fully use the app. When a user grants permission for the app to access potentially sensitive data, such as contacts or photos, that does not necessarily mean that information has been compromised.

Several of the app agreements do include a clause that users cannot hold VA accountable for any data loss.

The PTSD Coach app when downloaded, includes in its mandatory privacy agreement that "in no event will VA be liable for any damages, including those for loss of data" and "you agree to waive any and all claims against the U.S. Government, VA, its contractors, their subcontractors ... for any damage you may incur from your use of the (app)." 

VAApps
House Veterans Affairs Committee.

 

Blacklisted tech

Rep. Jim Banks, R-Ind. said VA recently responded to his request to find out if VA had purchased technology from blacklisted Chinese companies. 

VA told Banks that it had, but there are few details on what exactly was purchased.

"VA's answer gives me no confidence," he said. "I don't believe anyone in the department actually knows what's going on,." 

In December, Congress held a hearing specifically about foreign influences targeting veterans, including their private data. 

VA already has faced multiple breaches of veterans' private data, and as the largest healthcare provider in the United States, could be a significant target in the future, Banks said. In 2006, a stolen VA laptop led to the breach of more than 26 million veterans' and service members' data. 

Cunningham said VA is committed to protecting veteran data. 

"VA understands that accessibility and sharing must not come at the expense of safety, security, and confidentiality. Additionally, emerging challenges in technology call for increased attention to data protection and privacy," he said.

Cunningham's written testimony mentioned that "should data ever be improperly accessed" VA would shut down that access and investigate. If it was found to be human error or improper behavior, "VA will take corrective actions, which could range from remedial training to revoking access" but did not say if the persons responsible would be dismissed.

Reach Abbie Bennett: abbie@connectingvets.com or @AbbieRBennett.

Want to get more connected to the stories and resources Connecting Vets has to offer? Click here to sign up for our weekly newsletter.