Breach Prevention: VA Has Work to DoTackling the Challenge of Protecting the Privacy of Veterans
The Department of Veterans Affairs is the largest provider of healthcare in the U.S., with nearly 8.8 million patients treated at more than 1,700 sites annually. That care is provided and supported by 225,000 employees, making the VA's healthcare workforce the nation's largest.
The VA's vast size means there are many opportunities for privacy breaches to occur.
Should veterans, indeed, feel confident that the VA is taking adequate steps to protect their privacy?
The department has understandably been under much greater scrutiny in the wake of a 2006 incident involving the theft of an employee's unencrypted laptop containing information on more than 26 million veterans and 2.2 million active military service personnel. The VA now provides monthly and quarterly updates to Congress on breach incidents.
At a June Congressional hearing, some lawmakers questioned whether the VA has been withholding from its breach reports multiple incidents since 2010 that include hackers from other nations, including China and perhaps Russia, repeatedly breaching VA computers.
Since September 2009, VA facilities have reported about 14 major breaches (defined as affecting 500 or more individuals) to the Department of Health and Human Services. Those incidents affected a combined total of more than 30,000 individuals, according to the HHS' "wall of shame" breach tally website.
And last week, a Pittsburgh news media outlet, The Tribune-Review, published a detailed analysis of all VA breaches from 2010 to May 31, 2013. It tallied more than 14,000 privacy violations of various sizes at 167 facilities affecting more than 101,000 veterans and 500 VA employees.
That's a lot of breaches affecting a lot of individuals. And that's not good.
The Tribune-Review also reports that in some of the worst cases, photos of the anatomy of some victims were posted on social media and stolen IDs were used for fraudulent credit cards.
But the VA breach tally also reflects many small, unintentional breaches, many of which affected one or two patients per incident.
Since the giant 2006 breach, the VA has been making progress in better protecting patients' electronic information, including its mission to encrypt all mobile computing devices. That effort, however, is imperfect. The Tribune-Review says that since 2010, more than 16,000 vets have been affected by breaches involving unencrypted lost or stolen computing gear.
Also, a March report by the VA's Office of Inspector General found that the VA has not implemented a configuration control to ensure encryption of sensitive data, including patient records, during transmission.
Nevertheless, the majority of privacy breaches that occur at the VA these days involve paper records, acting CIO Stephen Warren said during a recent monthly press briefing.
For individuals who have been affected by breaches at the VA, the experience can have lasting impact. Kelley Archer, an independent information security consultant, was one of the 2.2 million active service people whose personal health data was on the unencrypted laptop that was stolen from a VA employee back in 2006.
"It was never confirmed in any way that my ID was used [for fraud]. When I received a follow-up letter from the government it stated they confirmed that my ID had not been accessed," he told me in a recent interview. "The only problem is that there was no known method to prove that."
Archer is still spooked by the incident, and has been on a crusade to help others who might be at risk of medical ID fraud or other repercussions due to breaches, phishing or other schemes. "I provide briefings to local civic community [groups] in the Upper Midwest ... to make citizens aware of the scams".
When I asked the VA to comment on the recent news about its privacy breaches, the department sent a statement that read, in part:"The VA places the highest priority upon safeguarding the personal information of our veterans, while remaining committed to providing exceptional health care that veterans have earned and deserve. VA is using enhanced technology and improved processes to ensure the security and privacy of veteran data. VA senior leadership is focused on monitoring and ensuring that all VA employees receive training in information security policies, procedures and practices, and when mistakes are made, staff is carefully re-trained on the importance of protecting veteran information. ...
"The VA is transparent and open about its information security and privacy efforts both with Congress and the public. Veterans should feel confident that VA takes the necessary precautions to safeguard the data VA uses to deliver care and benefits they earned and remains committed to protecting veteran information."
The VA also told me that it's developing new "privacy professionalization" training that includes managers. That training will cover such issues as inappropriate access to records and outline specific penalties for non-compliance.
Should veterans, indeed, feel confident that the VA is taking adequate steps to protect their privacy? Although the VA has made progress in protecting veteran's health information since its big breach in 2006, it appears that it still has plenty of breach prevention work to do.