A regional office of the Veterans Affairs Department mishandled personal information belonging to veterans, putting it at risk of unauthorized disclosure and further misuse, a government watchdog warns.

According to the Department of Veterans Affairs' Office of Inspector General, the Milwaukee, Wisconsin office kept veterans' data unprotected on two shared network drives where it was accessible to any VSO officer, regardless of what office they worked out of, as long as they were connected to the VA's network.

The OIG began looking into the regional office following an allegation made by a veteran’s service organization office in 2018.

While the incident wasn't technically classified as a data breach by the VA's Data Breach Response Service, nor did it result in fraud, the VA's failure to secure sensitive personal information put individuals at unnecessary risk.

According to an OIG report, released last Thursday (.PDF) approximately 25,000 remote access users could have accessed the shared network drives.

“The inadequate protection of sensitive personal information places veterans’ data at risk and could undermine the credibility of VBA [The Veterans Benefits Administration] and VSOs [veterans service organizations] in positions of trust. Veterans should have confidence that their sensitive personal information is handled strictly in accordance with federal laws and VA regulations.”

While a VA whistleblower noted the issue in September 2018, the conditions that exposed the data appear to have existed since the drives were set up, as early as 2016.

According to the OIG, files containing everything from medical records, details about medical exams, disability claims decision, in addition to information like names, addresses, dates of birth, and phone numbers, were exposed.

The issues were three-fold, the OIG notes, going on to outline how user negligence, lack of technical controls, and inadequate oversight, all contributed to the data exposure.

Despite being trained otherwise, some users stored data on the drives knowing it was frowned upon, going against VA security policy. There also weren't any controls in place to prohibit users from storing personal data in the first place, a condition that runs contrary to a rule the VA has in place (VA Directive 6502) around ensuring the confidentiality of PII on systems.

The OIG found another culprit was the fact that no process exists to review VA network drives for sensitive personal information, namely the unauthorized use and storage of PHI or PII. While the VA conducts periodic privacy and records management reviews, there's no current policy that directs "facility privacy officers and ISSOs [information system security officers] to conduct privacy self-assessments or reviews that might have identified the information the OIG team observed."

In addition to providing remedial training around the safe handling and storage of personal data, the OIG is encouraging the VA to improve its oversight procedures and establish technical controls so users can't store the type of data it previously did on shared drives.

While improving existing policies and training initiatives sound like they'll certainly boost awareness around handling sensitive data, the VA would be well served to look into a better way to gain visibility of all of its data, in order to better identify it, audit it, and control who accesses it.