VA put millions of people at risk of identify theft, audit finds
By ERIC YODER | The Washington Post | Published: November 21, 2019
The Veterans Affairs Department, while responding to requests for records on veterans' benefits claims, "put millions of people at risk of identity theft" by not deleting personally identifying information on other people from those records, an audit has found.
That information included names and Social Security numbers of people such as other military personnel and doctors who had treated the veteran, said an inspector general report issued last week. The report said people whose names were in the records were not informed that their information had been released, "meaning individuals at risk of identity theft might not be aware of that risk."
Under a policy that started in May 2016, the Veterans Benefits Administration, a sub-agency of VA, stopped redacting personal information on other people from those files, which can be requested under the Privacy Act. The policy was repealed in September after the IG presented its findings to VA management ahead of issuing the report.
The requests can be made by an authorized representative as well as by the veteran and might be made, for example, to contest a denial of benefits or to provide medical records to doctors outside the VA system.
A main reason for the change to stop redacting the personal information, the report said, was that VA considered deleting that information to be "a major contributing factor to its massive backlog of Privacy Act requests."
That backlog had grown from about 10,000 to about 70,000 in less than two years, with the average response time nearly doubling to 150 days. The department also saw the policy change as a step toward improving electronic access by veterans to their records, the report said.
VA legal counsel's office had "determined there was legal support for disclosing unredacted records" although it warned of "some inherent risks" and "noted the potential harm from misuse of such information could be substantial," the report said. Officials involved with privacy policies also raised concerns, it said, but higher leaders ordered the change nonetheless.
The report said that over the following 36 months VA responded to about 379,000 requests. From a random sample of 30, auditors found that 18 included names and Social Security numbers of other people — more than 1,000 in total, with one file containing such information on 259 people and another on 197.
Most were in the requester's military service records, it said, including in military orders containing that information on other service members, as well as records on medical and dental care received while in the military.
Further, VA did not encrypt or protect with passwords the discs that were mailed to the requesters, creating a risk of identity theft if those discs were lost, sent to the wrong recipient or stolen, the report said. In five cases the records included personal information that had been misfiled, it said.
The department did not consider the disclosures to be a data breach because they were allowable under its policy, the report added.
VA has since revised its policy to again require that personal information on third parties be deleted.
"VA is committed to providing Veterans prompt access to their claim records, increasing transparency and improving customer service," VA Secretary Robert Wilkie said in the announcement. "It's imperative that we protect files containing sensitive and personal information."
"Under this new process, VA does not anticipate delays in forwarding copies of claims files to Veterans or their designated representatives," the announcement said.