The Department of Veterans Affairs illegally granted roughly 25,000 people access to veterans' personal information including social security numbers, addresses, and medical histories, according to a government watchdog.
The agency's inspector general found that numerous VA and agency-affiliated employees across the country had access to sensitive information stored on unprotected shared servers, even if they had no official reasons to be privy to such information. Those practices left veterans "at significant risk" of having their identities misused or stolen.
"Without better protection, veterans and VA are at risk," the inspector general report said. "Veterans are at significant risk of unauthorized disclosure and misuse of their sensitive personal information. This has the potential to expose veterans to fraud and identity theft."
The watchdog report, published last week, stemmed from a whistleblower complaint at VA offices in Milwaukee originally filed in September 2018. The investigation found that both VA employees and members of veterans service organizations had unauthorized access to private data. Veterans service organizations are authorized by the VA to help veterans acclimate to a civilian lifestyle and navigate the VA bureaucracy.
The inspector general concluded that the problem was a "national issue" because anyone in the country with the appropriate credentials could access the private information. It remains unclear whether veterans living outside of the Milwaukee area were also affected.
The watchdog said that the data exposure happened because users of the VA database were "negligent, knowingly or inadvertently using shared network drives to store veterans' sensitive personal information despite VA security policy that prohibits such activity."
The report also said that the lack of adequate safeguards and oversight contributed to the unauthorized disclosure. There was no technical failsafe to prevent users from putting private data on public servers, and the VA lacked a rigorous internal audit process to discover illegal disclosures on its servers.
The inspector general concluded that the data exposure violated federal and agency policies governing the privacy of personal information.
"Veterans should have confidence that their sensitive personal information is handled strictly in accordance with federal laws and VA regulations," the report said.
The VA has failed to protect veterans' personal data in the past. In 2006 a department employee downloaded the data of 26 million veterans. The data, which included names, birth dates, and social security numbers, were kept on a laptop subsequently stolen from the employee's home by a burglar, triggering a congressional inquiry.
The VA ultimately agreed to settle a class-action lawsuit with veterans, paying out $20 million, which translated to payments of $75 to $1,500 for any veterans who could prove they were negatively affected by the data breach.
The VA is not the only federal agency under fire for its handling of the personal information of veterans. In October, the Department of Defense agreed to lock down a website that provided easy access to the service history of veterans.
The DoD provided the website so financial institutions could verify veterans' military status, but a veterans' advocacy group sued the government for violating the privacy of veterans. Users of the DoD website are now required to submit their personal information and acknowledge that it is a crime to misuse the data obtained from the site, according to a court filing.
A spokesperson for the VA told the Washington Free Beacon "We appreciate the inspector general's oversight, which in this case uncovered no evidence that any Veteran's information was accessed inappropriately. VA has since taken a number of actions to strengthen safeguards regarding Veterans' personal information, including removing all such information from shared drives and restricting permissions that prevent the storage of sensitive personal information."
This story has been updated to include comment from a VA spokesperson.