Private information for thousands of veterans, including their Social Security numbers, birth dates and health records, was transmitted unencrypted over an Internet-accessible network by the Department of Veterans Affairs, according to a government report released today.
The findings by the VA's Inspector General are the latest in a years-long series of mishaps involving how the department protects the personal information of veterans who use government medical facilities and other benefits.
They also come at a critical time for the agency's technology department, which is rolling out a new half-billion dollar computer system that VA officials say will break the nagging backlog of more than one million disability claims filed by veterans seeking compensation for service-related medical conditions.
Transmitting the personal information without encryption made the veterans vulnerable to identity theft and the agency an easy target for malicious hackers, the IG found.
"Unencrypted sensitive VA data could be used to perpetrate various types of fraud, including tax fraud," the IG said. " Further, malicious users could obtain VA router information to identify and disrupt mission-critical systems essential to providing health care services to veterans."
The report focused on how medical information is shared between VA medical centers in 10 Midwestern states. It was a common practice throughout VA to send unencrypted personal information among outpatient clinics and other outside businesses using regional telecommunications carriers, according to the IG.
Those carriers also provide Internet service to other customers, making their system and veterans' records vulnerable to hackers.
Roger Baker, VA's assistant secretary for Information and Technology, disagreed with the IG's characterization that the unsecured data was being transmitted over the Internet.
The companies that the VA contracts with for telecommunications services keep the agency's network isolated from its other customers, Baker said.
However, Baker said the recommendations from the IG to better protect private information through encryption and training have already been implemented.
Failing to protect veterans' private information has proved costly for VA in the past.
The 2006 theft of a VA employee's personal laptop, which contained personal information on about 26 million veterans and military personnel, led to a class action lawsuit that was settled for $20 million.
The total cost of dealing with the breach, including notifying affected veterans, was estimated at almost $50 million.
Another laptop with confidential information about VA patients was stolen in 2010.
Now, VA is banking on Baker's department to deliver the Veterans' Benefits Management System (VBMS) to all 57 regional offices that process disability and pension claims in hopes it will enable the agency to process those cases more quickly.
It takes an average of nine months for an initial rating decision on a disability claim, which determines whether a veteran is entitled to compensation for service-related injuries or medical conditions. In many VA regional offices, it takes more than a year.
VBMS will allow claims processors to electronically access documents that now fill paper files. Agency estimates put the tab of VBMS at $537 million, plus about $350 million more for outside vendors to electronically scan documents.
Baker announced last month that he plans to resign. Neither Baker nor a VA spokesperson returned calls seeking comment.
Joseph Violante, legislative director for Disabled American Veterans, said he doubts Baker's departure will have a significant effect on the implementation of VBMS.
"VA is so far down the road on this that losing Roger Baker is not going to adversely impact this," Violante said. "Hopefully they can get any of the flaws that are still in the program worked out."
Mark Flatten is a member of The Washington Examiner Watchdog investigative reporting team. He can be reached at firstname.lastname@example.org.