Department of Veterans Affairs officials have racked up more than 10,000 privacy breaches since 2011, making the VA the nation's most prolific violator of laws protecting patients' personal medical information.
However, the government agency tasked with punishing providers who break the law, called the Health Insurance Portability and Accountability Act, took no disciplinary action against the VA, according to a review by ProPublica.
Breaches ranged from employees accidentally mailing a veteran the wrong medical records to employees intentionally spying on patients' records.
For example, one VA employee was found to have improperly accessed a veteran's medical records 61 times without a "business related reason," a HIPAA violation report filed to the Department of Health and Human Services in March 2013 showed.
The unnamed employee then posted information from the patient's file on Facebook and "discussed it with her friends," the report said.
But even after the breach was reported to the VA, the employee kept her job and was subjected only to a two-week suspension.
Another HHS report, this one from Feb. 2012, showed a VA employee looked over her ex-husband's medical records 260 times without permission.
The violations date back even further, and have even affected agency employees themselves. In fact, some VA officials have used their access to medical records of employees who are also veterans and VA patients as a way to retaliate against whistleblowers.
A review by the Pittsburgh Tribune-Review in 2013 found thousands of HIPAA violations had occurred at 167 VA facilities across the country between 2010 and May of that year, including breaches that compromised the medical files of 551 VA employees.
One VA scheduler at the Pittsburgh hospital said she quit her job after HHS and the VA refused to investigate the source of her coworkers' gossip about her mental health conditions, which was clearly the result of someone at the VA reading her medical records.
What's more, the review found at least 15 instances in which VA employees had posted pictures of patients or details of their medical conditions on social media. That included a 2011 incident in which a patient assistant posted to Facebook a picture of "an ailing veteran's exposed buttocks."
The VA found its patient privacy standards in hot water last year after a top official at the Phoenix VA hospital sent an email to staff members describing the medical history of a veteran who had committed suicide.
The veterans' suicide had been featured in a political ad for a congresswoman promising VA reform. In the controversial and widely distributed email, a VA official offered to "fill in some of the gaps" from the ad by sharing what he had learned from "[s]everal reviews of the veteran's records."
Despite years of patient privacy breaches, the Office of Civil Rights, an arm of HHS that enforces HIPAA, has largely ignored the VA's problem.
"The VA has never been called out publicly by the Office for Civil Rights or sanctioned for its string of violations," the ProPublica review found.
A spokesman for the VA did not return a request for comment.
Rep. Jeff Miller, chairman of the House Veterans Affairs Committee, said the patient privacy lapses will continue until the VA gets serious about punishing employees who access or share the medical information of veterans.
"For years, VA officials have been saying they take privacy violations and data loss 'very seriously,' yet in many cases those responsible for intentionally and wrongfully committing these acts face no serious discipline," Miller told the Washington Examiner.
"After listening to VA leaders speak, it's no wonder why the organization has lost so much trust with the veterans it is charged with serving," the Florida Republican said. "VA officials say they don't tolerate whistleblower retaliation, but the facts prove that they do. VA officials say they are committed to accountability, but time and again the behavior of corrupt and incompetent employees goes virtually unpunished."
John Cooper, spokesman for Concerned Veterans for America, said the VA should fire "ethically challenged employees" who intentionally access veterans' personal records.
"Every time a story like this breaks, the VA rushes in to assure everyone they take veterans' privacy seriously. Unfortunately, that's about all the VA does — issue a statement and go right back to business as usual," Cooper said.
"These privacy concerns have been an issue time and again, and yet we keep learning of new violations of veterans' trust by the supposed professionals tasked with caring for them," he added.