VA put millions of people, including doctors, at risk of identity theft, agency audit findsDecember 1, 2019
The Department of Veterans Affairs (VA) put millions of people, including medical professionals, at risk of identity theft by disclosing their Social Security numbers in copies of veterans’ benefits claims, an agency audit found.
When responding to veterans’ requests for copies of their medical benefits claims, the VA failed to redact personally identifiable information of other service members and doctors treating the veteran, according to a report from the VA Office of Inspector General (OIG). That information included names and Social Security numbers.
The failure to delete other people’s personal information on those records goes back to a policy put in place in May 2016, the OIG report said.
“The May 2016 policy change did not require third parties to be notified when their information was released, meaning individuals at risk of identity theft might not be aware of that risk,” the VA OIG report said.
The Inspector General reviewed a random sample of 30 out of about 65,600 Privacy Act requests that the Veterans Benefits Administration’s (VBA’s) Records Management Center, a sub-agency of the VA, completed from April 1, 2018, through September 30, 2018.
That review found 1,027 unrelated third-party names and Social Security numbers in records the VBA purposely included in requesters’ claims files.
RELATED: Dental practice pays $10K to settle complaint it disclosed patient information on Yelp
In one example, VA staff sent a disk to a veteran who requested his records, and the disk contained the names and Social Security numbers of 197 other individuals, including medical professionals, in the veteran’s medical records.
Before May 2016, VBA’s policy required staff to limit disclosure to information that pertained only to the requester, and staff were required to redact third-party information. To do this, staff conducted a page-by-page review of requested records and used software to block out the third-party information, according to the audit.
Three years ago, the VBA changed its policy to stop redacting that information because the process was slowing down the department’s ability to respond to records requests. In less than two years, the VBA’s backlog of records requests grew from 10,000 to 70,000 with the average response time almost doubling to 150 days. That also resulted in a growing number of appeals and litigation.
The requirement to redact third-party information was a major factor in the delays, the department told the Office of General Counsel….