“The VA Office of Inspector General (OIG) conducted this review in response to a hotline allegation that veterans’ sensitive personal information was stored on shared network drives on the VA Enterprise network and was likely accessible to other network users. The allegation was made by a veterans service organization (VSO) officer working with veterans served by the Milwaukee, Wisconsin, VA Regional Office (VARO). Accredited VSO officers have access to the network to assist veterans with filing VA disability claims through the Veterans Benefits Management System (VBMS), the web-based electronic claims-processing system of the Veterans Benefits Administration (VBA)…”
“The OIG team found that veterans’ sensitive personal information was left unprotected on two shared network drives, where it was accessible to VSO officers who did not represent those veterans. Senior Office of Information and Technology (OIT) representatives told the team that other authenticated network users with access to the shared drives also could have accessed that information regardless of their business need. The OIG determined that mishandling this sensitive personal information was a national issue because the problem was not limited to the Milwaukee VARO. Authorized users, regardless of their location, who remotely connected to VA’s network could have had access to the same shared network drives.”
“The mishandling of sensitive personal information occurred for three reasons. First, certain users were knowingly or inadvertently negligent in their use of shared network drives to store veterans’ sensitive data despite VA security policy prohibiting such activity. Second, no technical controls were in place to prevent negligent users from storing sensitive personal information on the shared network drives. Third, due to a lack of oversight, OIT and VBA personnel failed to discover and remove any sensitive personal information stored on shared network drives.”
“Without better protection, veterans and VA are at risk…” Read the full report here.
Source: Mishandling of Veterans’ Sensitive Personal Information on VA Shared Network Drives – October 17, 2019. VA OIG.
